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SYSTEMS AND METHODS FOR DETERMINING WIRELESS NETWORK 

TOPOLOGY 

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS 
This application claims priority to, and incorporates by reference in its entirety 
for all purposes, commonly assigned provisional U.S. Patent Application Serial No. 
60/464,464, filed April 21, 2003, entitled "SYSTEMS AND METHODS FOR 
NETWORK SECURITY". 

BACKGROUND 

The present invention is directed to systems and methods for managing wireless 
computer networks. More specifically, without limitation, the present invention relates 
to computer-based systems and methods for wireless networks topology mapping and 
analysis. 

The Internet is a global network of connected computer networks. Over the last 
several years, the Internet has grown in significant measure. A large number of 
computers on the Internet provide information in various forms. Anyone with a 
computer connected to the Internet can potentially tap into this vast pool of 
information. 

The information available via the Internet encompasses information available 
via a variety of types of application layer information servers such as SMTP (simple 
mail transfer protocol), POP3 (Post Office Protocol), GOPHER (RFC 1436), WAIS, 
HTTP (Hypertext Transfer Protocol, RFC 2616) and FTP (file transfer protocol, RFC 
1123). 

One of the most wide spread methods of providing information over the Internet 
is via the World Wide Web (the Web). The Web consists of a subset of the computers 
connected to the Internet; the computers in this subset run Hypertext Transfer Protocol 
(HTTP) servers (Web servers). Several extensions and modifications to HTTP have 
been proposed including, for example, an extension framework (RFC 2774) and 
authentication (RFC 2617). Information on the Internet can be accessed through the 
use of a Uniform Resource Identifier (URI, RFC 2396). A URI uniquely specifies the 
location of a particular piece of information on the Internet. A URI will typically be 
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composed of several components. The first component typically designates the 
protocol by which the address piece of information is accessed (e.g., HTTP, GOPHER, 
etc.). This first component is separated from the remainder of the URI by a colon (':'). 
The remainder of the URI will depend upon the protocol component. Typically, the 
5 remainder designates a computer on the Internet by name, or by IP number, as well as a 
more specific designation of the location of the resource on the designated computer. 
For instance, a typical URI for an HTTP resource might be: 
http ://www. server, com/dir 1 /dir2/resource.htm 

where http is the protocol, www.server.com is the designated computer and 

10 /dirl/dir2/resouce.htm designates the location of the resource on the designated 
computer. The term URI includes Uniform Resource Names (URN's) including 
URN's as defined according to RFC 2141. 

Web servers host information in the form of Web pages; collectively the server 
and the information hosted are referred to as a Web site. A significant number of Web 

1 5 pages are encoded using the Hypertext Markup Language (HTML) although other 
encodings using SGML, extensible Markup Language (XML), DHMTL or XHTML 
are possible. The published specifications for these languages are incorporated by 
reference herein; such specifications are available from the World Wide Web 
Consortium and its Web site (http://www.w3c.org). Web pages in these formatting 

20 languages may include links to other Web pages on the same Web site or another. As 
will be known to those skilled in the art, Web pages may be generated dynamically by a 
server by integrating a variety of elements into a formatted page prior to transmission to 
a Web client. Web servers, and information servers of other types, await requests for 
the information from Internet clients. 

25 Client software has evolved that allows users of computers connected to the 

Internet to access this information. Advanced clients such as Netscape's Navigator and 
Microsoft's Internet Explorer allow users to access software provided via a variety of 
information servers in a unified client environment. Typically, such client software is 
referred to as browser software. 

30 Electronic mail (e-mail) is another wide spread application using the Internet. 

A variety of protocols are often used for e-mail transmission, delivery and processing 
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including SMTP and POP3 as discussed above. These protocols refer, respectively, to 
standards for communicating e-mail messages between servers and for server-client 
communication related to e-mail messages. These protocols are defined respectively in 
particular RFC's (Request for Comments) promulgated by the IETF (Internet 
5 Engineering Task Force). The SMTP protocol is defined in RFC 821, and the POP3 
protocol is defined in RFC 1939. 

Since the inception of these standards, various needs have evolved in the field 
of e-mail leading to the development of further standards including enhancements or 
additional protocols. For instance, various enhancements have evolved to the SMTP 

10 standards leading to the evolution of extended SMTP. Examples of extensions may be 
seen in (1) RFC 1869 that defines a framework for extending the SMTP service by 
defining a means whereby a server SMTP can inform a client SMTP as to the service 
extensions it supports and in (2) RFC 1891 that defines an extension to the SMTP 
service, which allows an SMTP client to specify (a) that delivery status notifications 

15 (DSNs) should be generated under certain conditions, (b) whether such notifications 

should return the contents of the message, and (c) additional information, to be returned 
with a DSN, that allows the sender to identify both the recipient(s) for which the DSN 
was issued, and the transaction in which the original message was sent. 

In addition, the IMAP protocol has evolved as an alternative to POP3 that 

20 supports more advanced interactions between e-mail servers and clients. This protocol 
is described in RFC 2060. 

The various standards discussed herein by reference to particular RFC's are 
hereby incorporated by reference herein for all purposes. These RFC's are available to 
the public through the Internet Engineering Task Force (IETF) and can be retrieved 

25 from its Web site (http://www.ietf.org/rfc.html). The specified protocols are not 

intended to be limited to the specific RFC's quoted herein above but are intended to 
include extensions and revisions thereto. Such extensions and/or revisions may or may 
not be encompassed by current and/or future RFC's. 

A host of e-mail server and client products have been developed in order to 

30 foster e-mail communication over the Internet. E-mail server software includes such 
products as sendmail-based servers, Microsoft Exchange, Lotus Notes Server, and 
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Novell Group Wise; sendmail-based servers refer to a number of variations of servers 
originally based upon the sendmail program developed for the UNIX operating 
systems. A large number of e-mail clients have also been developed that allow a user 
to retrieve and view e-mail messages from a server; example products include 
5 Microsoft Outlook, Microsoft Outlook Express, Netscape Messenger, and Eudora. In 
addition, some e-mail servers, or e-mail servers in conjunction with a Web server, 
allow a Web browser to act as an e-mail client using the HTTP standard. 

As the Internet has become more widely used, it has also created new risks for 
corporations. Breaches of computer security by hackers and intruders and the potential 

10 for compromising sensitive corporate information are a very real and serious threat. 

Wireless Local Area Networks (WLANs) offer a quick and effective extension 
of a wired network or standard local area network (LAN). FIG. 1 depicts a typical 
LAN 190 including both wired and wireless components. The wired component 
depicted in FIG. 1 includes a variety of connected systems including local servers 120, 

15 local clients 130 and network accessible data storage components 110. By simply 

installing access points 180A, 180B to the wired network (e.g., Ethernet 150 and router 
140), personal computers and laptops equipped with WLAN cards 170 A, 170B can 
connect with the wired network at broadband speeds. 

Over the last few years, most deployments of WLANs have conformed to the 

20 Institute of Electrical and Electronics Engineers (IEEE) 802.1 lb standard that operates 
over the unregulated 2.4 GHz frequency spectrum. The 802.1 lb standard offers 
connectivity of up to 1 1 Mbps - fast enough to handle large e-mail attachments and run 
bandwidth-intensive applications like video conferencing. While the 802.1 lb standard 
now dominates the WLAN market, other variations of the 802.1 1 standard, such as 

25 802. 1 1 a, 802. 1 1 g, and supporting standards such as 802. IX, are being developed to 
handle increased speeds and enhanced functionality. WLAN vendors have committed 
to supporting a variety of standards. The various 802.1 1 standards developed by the 
IEEE are available for download via URL: 

http://standards.ieee.org/getieee802/802.ll.html; these various standards are hereby 
30 incorporated by this reference herein. 
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As businesses connected their LANs to the Internet 160, they installed firewalls 
145 to protect their local networks and act as security gates to fend off unauthorized 
traffic coming from the Internet's information highway such as potential hacker 135. 
The mobility of air-bound, wireless networks creates security concerns where threats 
5 can come from any direction and are not limited to the wired infrastructure. 

Established security practices of guarding a few wired entry points to the network are 
no longer effective. A firewall 145 may effectively deter an attack from a wired hacker 
135 via the Internet 160; however, wireless hackers 195 A, 195B typically enter the 
LAN 190 through access points 180 A, 180B that are already behind the firewall 145. 

10 Companies must constantly monitor their airwaves to survey wireless activity and 
guard against intruders. 

Because wireless communication is broadcast over radio waves, eavesdroppers 
195 A, 195B who merely listen to the airwaves can easily pick up unencrypted . 
messages. Additionally, messages encrypted with the Wired Equivalent Privacy (WEP) 

15 security protocol can be decrypted with a little time and easily available hacking tools. 
These passive intruders put businesses at risk of exposing sensitive information to 
corporate espionage. 

The theft of an authorized user's identity poses one the greatest threats. Service 
Set Identifiers (SSIDs) that act as crude passwords and Media Access Control (MAC) 

20 addresses that act as personal identification numbers are often used to verify that clients 
are authorized to connect with an access point. However, existing encryption standards 
are not foolproof and allow knowledgeable intruders to pick up approved SSIDs and 
MAC addresses to connect to a WLAN as an authorized user with the ability to steal 
bandwidth, corrupt or download files, and wreak havoc on the entire network. 

25 Outsiders who cannot gain access to a WLAN can none-the-less pose security 

threats by jamming or flooding the airwaves with static noise that causes WLAN 
signals to collide and produce CRC errors. These Denial-of-Service (DoS) attacks 
effectively shut down the wireless network in a similar way that DoS attacks affect 
wired networks. 

30 Careless and deceitful actions by both loyal and disgruntled employees also 

present security risks and performance issues to wireless networks with unauthorized 
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access points, improper security measures, and network abuses. Because a simple 
WLAN can be easily installed by attaching a $80 access point to a wired network and a 
$30 WLAN card to a laptop, employees are deploying unauthorized WLANs or peer- 
to-peer wireless connections 175 when IT departments are slow to adopt the new 
5 technology. 

Incorrectly configured access points are an avoidable but significant hole in 
WLAN security. Many access points are initially configured to broadcast unencrypted 
SSIDs of authorized users. While SSIDs are intended to be passwords to verify 
authorized users, intruders can easily steal an unencrypted SSID to assume the identity 

10 of an authorized user. 

Authorized users can also threaten the integrity of the network with abuses that 
drain connection speeds, consume bandwidth, and hinder a WLAN's overall 
performance. A few users who clog the network by trading large files such as MP3 
audio or MPEG video files can affect the productivity of everyone on the wireless . 

15 network. 

The systems and methods according to the present invention provide solutions 
to these and other security and/or management issues associated with WLANs and/or 
encrypted computer networks. 

20 SUMMARY 

The present invention is directed to systems and methods for mapping and/or 
analysis of wireless network topologies. One preferred embodiment according to the 
present invention includes a system data store (SDS) and a system processor. The SDS 
stores data needed to provide the desired topology mapping and/or analysis 

25 functionality and may include, for example, access point characteristic data, wireless 
network node characteristic data, access point/node relationship data, and/or node/node 
relationship data. The SDS may include multiple physical and/or logical data stores for 
storing the various types of information. Data storage and retrieval functionality may 
be provided by either the system processor or data storage processors associated with, 

30 or included within, the SDS. Some embodiments can further include one or more 
wireless receivers that monitor wireless transmissions. 
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The system processor is in communication with the SDS via any suitable 
communication channel(s); in embodiments including one or more wireless receivers, 
the system processor is in communication with the one or more wireless receivers via 
the same, or differing, communication channel(s). The system processor may include 
5 one or more processing elements that provide and/or support the desired detection 
and/or enforcement functionality. In some embodiments, the system processor can 
include local, central and/or peer processing elements depending upon equipment and 
the configuration thereof. 

Accordingly, one preferred method of wireless network topology mapping 

10 includes a variety of steps that may, in certain embodiments, be executed by the 

environment above or be stored as computer executable instructions in and/or on any 
suitable combination of computer-readable media. Scan data associated with 
monitoring one or more wireless access points and/or one or more wireless network 
nodes is received. In some embodiments, the received scan data is the result of 

15 scanning wireless transmission by one or more wireless receivers, where such scanning 
can occur continuously, on demand, at periodic intervals, at aperiodic intervals or some 
combination thereof. The received scan data, potentially in combination with other 
data such as access point and/or node characteristics, is used to identify one or more 
relationships between two access points, between two nodes and/or between an access 

20 point and a node. The identified relationships are stored and/or outputted. 

The stored relationship in some embodiments can be output to user or to a 
computer system. When output to a user, the stored relationships may be formatted in 
certain embodiments according to a desired output platform and/or a desired output 
representation. In some such embodiments, the relationships are formatted in a 

25 graphical representation, where some such representation may use color to designate 
various characteristics of relationships, and/or the nodes and/or access points, 
represented. 

The stored relationships in some embodiments may be output to a computer 
system. In some such embodiment, the stored relationships may be formatted prior to 
30 output to the computer system. The receiving computer system can perform additional 
processing of the relationship data. 
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Additional advantages of the invention will be set forth in part in the description 
which follows, and in part will be obvious from the description, or may be learned by 
practice of the invention. The advantages of the invention will be realized and attained 
by means of the elements and combinations particularly pointed out herein. It is to be 
5 understood that both the foregoing general description and the following detailed 

description are exemplary and explanatory only and are not restrictive of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The accompanying drawings, which are incorporated in and constitute a part of 
10 this specification, illustrate embodiments of the invention and together with the 
description, serve to explain the principles of the invention. 

FIG. 1 graphically depicts a typical LAN with both wired and wireless 
components. 

FIGs. 2A-E graphically depicts LANs incorporating various preferred 
1 5 embodiments according to the present invention. 

FIG. 3 is a flow chart of a multi-dimensional wireless intrusion detection 
process according to one preferred embodiment of the present invention. 

FIG. 4 is a flow chart of an example multiple input wireless intrusion detection 
process including multiple input correlation and long-term data fusion. 
20 FIG. 5 is a flow chart of an exemplary dynamic channel change active defense 

process that includes a honeypot trap. 

FIGs. 6A-B are flow charts of example station identification and location 
mapping processes. 

FIGs. 7A-C are diagram depicting exemplary architectures for sensor devices. 
25 FIGs. 8A-B are flow charts depicting an exemplary security data collection 

process performed according to the present invention. 

FIG. 9 is a flow chart depicting steps in an exemplary wireless network 
topology tracking process. 

FIG. 10 is a flow chart depicting an automated wireless network policy 
30 enforcement process. 

FIG. 11 is a flow chart depicting an adaptive scanning process. 
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FIG. 12A-B is a figure depicting a sample visualization of a wireless network 
topology. 

FIG. 12A1 is a larger rendering of the left panel of FIG. 12 A. 
FIGs. 13A1, 13A2, 13B1 & 13B2 depict sample screens providing interfaces 
5 for configuration of automated policy enforcement. 

FIG. 13 Ala is a larger rendering of the left panel of FIG. 13A1. 
FIG. 14 depicts an exemplary interface for configuring a default or baseline 
scan pattern. 

10 DETAILED DESCRIPTION 

Exemplary embodiments of the present invention are now described in detail. 
Referring to the drawings, like numbers indicate like parts throughout the views. As 
used in the description herein, the meaning of "a," "an," and "the" includes plural 
reference unless the context clearly dictates otherwise. Also, as used in the description 

15 herein, the meaning of "in" includes "in" and "on" unless the context clearly dictates 
otherwise. Finally, as used in the description herein, the meanings of "and" and "or" 
include both the conjunctive and disjunctive and may be used interchangeably unless 
the context clearly dictates otherwise; the phrase "exclusive or" may be used to indicate 
situation where only the disjunctive meaning may apply. 

20 Ranges may be expressed herein as from "about" one particular value, and/or to 

"about" another particular value. When such a range is expressed, another embodiment 
includes from the one particular value and/or to the other particular value. Similarly, 
when values are expressed as approximations, by use of the antecedent "about," it will 
be understood that the particular value forms another embodiment. It will be further 

25 understood that the endpoints of each of the ranges' are significant both in relation to the 
other endpoint, and independently of the other endpoint. 

The term "Wi-Fi" is short for wireless fidelity and is another name for IEEE 
802. lib. The foregoing discussion of exemplary embodiments may use terminology or 
make reference to the IEEE 802.1 lb standard, or other 802.1 1 variant; however, those 

30 skilled in the art will appreciate that systems and methods of the present invention may 
be applied to WLANs meeting these standards as well as WLANs developed according 
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to competing WLAN standards. The phrase "frame" as used herein shall mean broadly 
any discretely defined communication transmitted via a computer network and shall not 
be limited to those specific frame types (control, management, data and error) defined 
according to 802.1 IX standards. 
5 Architecture of a Typical Access Environment 

FIGs. 2A-E depicts several LAN environments including several preferred 
embodiments according to the present invention. These figures depict a typical LAN 
environment as depicted in FIG. 1 having wired and wireless components. In contrast 
to FIG. 1, FIGs. 2A-E include one or more hardware components supporting preferred 
10 embodiments according to the present invention. The depicted hardware components 
include a system processor, an SDS and one or more interfaces to one or more wireless 
and/or encrypted communications network over which electronic communications are 
transmitted and received. 



The hardware components depicted in these figures are outlined as follows: 



20 



25 



15 



30 



o In FIG. 2 A, the hardware components include a single device 21 OA that 

includes a local processor serving as the system processor, or at least a portion 
thereof, and the one or more interfaces to the wireless network. The device 
21 OA is preferably a mobile computer system such as a notebook computer. 
The local primary and/or secondary storage of device 21 OA may serve as the 
SDS; alternatively, portions of the SDS may be provided by other systems 
capable of communicating with the device 21 OA such as network addressable 
data storage 110, local servers 120 and/or wireless stations 170 A, 170B. In 
some embodiments, the device's interfaces to the wireless network may be 
limited to one or more wireless receivers. In other embodiments, the interfaces 
may include one or more wireless transmitters as well as one or more 
transmitters. If wireless transmitters are included, the device 210 may 
communicate over LAN 190 using a wireless access point 180A, 180B. In 
addition, included wireless transmitters may be used to support one or more of 
the active defense measures described in greater detail below. In some 
embodiments, the device 21 OA may further include a wired connection (not 
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shown) to Ethernet 150 allowing direct communication between it and systems 
connected to the wired portion of LAN 190. 

o In FIG. 2B, the hardware components include multiple devices 21 OA, 21 0B, 
2 10C, 210D. Each device 210A-D includes a local processor and one or more 
interfaces to the wireless network and is preferably a mobile computer system 
such as a notebook computer. The individual local processors in the aggregate 
serve as the system processor. The SDS may include a combination of storage 
local to each of the devices and/or external storage accessible via the LAN 190. 
As described above with respect to FIG. 2A, each device includes at least a 
wireless receiver but may also include additional wireless receivers and/or 
wireless transmitters. Each device may also include a wired connection (not 
shown) to Ethernet 150. Finally, the devices 210A-D may further use existing 
interfaces and/or incorporate additional interfaces to allow peer-to-peer 
communication among themselves. 

o In FIG. 2C, the hardware components include multiple devices 21 OA, 21 0B, 
2 10C, 210D, 220. Each device 210A-D may include the various components as 
described above with respect to FIG. 2B. Device 220 includes a local processor 
and one or more communication interfaces; this device may be referred to 
hereinafter as the host system. Device 220 's communication interfaces may 
include only a wired communication interface and may receive data related to 
wireless communications as forwarded by devices 210A-D over the wire 
Ethernet 150. In addition to, or instead of, the wired communication interface, 
device 220 may include a one or more wireless communication interfaces each 
- of which may include a wireless receiver, a wireless transmitter or both. In 
embodiment where devices 210A-D support peer-to-peer communication, 
device 220 may in some of such embodiments participate in the peer-to-peer 
communication and, in such instances, its communication interfaces would 
include the appropriate communication interface to support this participation. 
The system processor functionality in the depicted embodiment may be 
provided by the host system alone and/or by some combination of the devices 
210A-D. The host system may in some embodiments provide the SDS for the 
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environment; alternatively, the SDS may be supported by some combination of 
the local storage among the devices 210A-D, the local storage in the host 
system and external storage available through LAN 190. 
o In FIG. 2D, the hardware components include multiple devices 21 OA, 21 0B, 
5 2 10C, 210D, 220, 230A, 230B. Devices 210A-D, 220 support the same 

functionality and include the same range of components as provided above with 
respect to FIG. 2C. In addition, devices 230A, 230B are sensor devices that 
monitor wireless traffic over the wireless network. These sensor devices at least 
include a wireless receiver for monitoring the traffic and a communication 

10 interface wired (as depicted) or wireless (not shown) allowing communication 

with one or more of the devices 210A-D and/or the host system 220. In some 
embodiments, the sensor devices 230A, 230B may include a wireless 
transmitter for supporting communication with the other hardware components 
and/or for supporting various active wireless network defensive measures as 

15 discussed below. In some embodiments, the sensor device 230A, 230B may 

further include local processing capability and or local storage capability; in 
some such embodiments, the system processor and/or the SDS may incorporate 
these local capabilities of the sensor devices 230A, 230B. 
o In FIG. 2E, the hardware components include multiple devices 220, 23 OA, 

20 230B. In this embodiment, the host system 220 and sensor devices 230A, 230B 

include the same functionality and range of components as discussed above 
with respect to FIGs. 2D and 2E respectively. In such embodiments, the host 
system 220 will typically provide a significant portion of the system processor 
functionality and will only have limited capacity to directly receive wireless 

25 network communication. In some of these embodiments, the host system 220 

may have no wireless communication interface. 

The depicted hardware components include a system processor potentially 
including multiple processing elements, that may be distributed across the depicted 
hardware components, where each processing element may be supported via Intel- 
30 compatible processor platforms preferably using at least one PENTIUM III or 

CELERON (Intel Corp., Santa Clara, CA) class processor; alternative processors such 
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as UltraSPARC (Sun Microsystems, Palo Alto, CA) could be used in other 
embodiments. In some embodiments, security enhancement functionality, as further 
described below, may be distributed across multiple processing elements. The term 
processing element may refer to (1) a process running on a particular piece, or across 
5 particular pieces, of hardware, (2) a particular piece of hardware, or either (1) or (2) as 
the context allows. The sensor devices 230A, 230B depicted in FIGs. 2D-E may in 
some preferred embodiments include more limited optimized local processors such as a 
digital signal processor (DSP). Other embodiment can use application specific 
integrated circuits (ASIC) or a field programmable gate arrays (FPGA). 

10 The depicted hardware components include an SDS that could include a variety 

of primary and secondary storage elements. In one preferred embodiment, the SDS 
would include RAM as part of the primary storage; the amount of RAM might range 
from 64 MB to 4 GB in each individual hardware device although these amounts could 
vary and represent overlapping use such as where the host system 220 supports 

15 additional functionality such as integrated with firewall system 145 for providing 

unified wired and wireless security. The primary storage may in some embodiments 
include other forms of memory such as cache memory, registers, non-volatile memory 
(e.g., FLASH, ROM, EPROM, etc.), etc. The sensor devices 230A, 230B depicted in 
FIGs. 2D-E may in some preferred embodiments include more limited amounts and 

20 kinds of primary storage. In one preferred embodiments, the primary storage in the 
sensor devices includes FLASH memory. 

The SDS may also include secondary storage including single, multiple and/or 
varied servers and storage elements. For example, the SDS may use internal storage 
devices connected to the system processor. In embodiments where a single processing 

25 element supports all of the security analysis functionality, such as seen in FIGs. 2A and 
2E, a local hard disk drive may serve as the secondary storage of the SDS, and a disk 
operating system executing on such a single processing element may act as a data 
server receiving and servicing data requests. 

It will be understood by those skilled in the art that the different information 

30 used in the security enhancement processes and systems according to the present 

invention may be logically or physically segregated within a single device serving as 
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secondary storage for the SDS; multiple related data stores accessible through a unified 
management system, which together serve as the SDS; or multiple independent data 
stores individually accessible through disparate management systems, which may in 
some embodiments be collectively viewed as the SDS. The various storage elements 
5 that comprise the physical architecture of the SDS may be centrally located, or 
distributed across a variety of diverse locations. 

The architecture of the secondary storage of the system data store may vary 
significantly in different embodiments. In several embodiments, database(s) are used 
to store and manipulate the data; in some such embodiments, one or more relational 

10 database management systems, such as DB2 (IBM, White Plains, NY), SQL Server 
(Microsoft, Redmond, WA), ACCESS (Microsoft, Redmond, WA), ORACLE 8i 
(Oracle Corp., Redwood Shores, CA), Ingres (Computer Associates, Islandia, NY), 
MySQL (MySQL AB, Sweden) or Adaptive Server Enterprise (Sybase Inc., 
Emeryville, CA), may be used in connection with a variety of storage devices/file 

15 servers that may include one or more standard magnetic and/or optical disk drives using 
any appropriate interface including, without limitation, IDE and SCSI. In some 
embodiments, a tape library such as Exabyte X80 (Exabyte Corporation, Boulder, CO), 
a storage attached network (SAN) solution such as available from (EMC, Inc., 
Hopkinton, MA), a network attached storage (NAS) solution such as a NetApp Filer 

20 740 (Network Appliances, Sunnyvale, CA), or combinations thereof may be used. In 
other embodiments, the data store may use database systems with other architectures 
such as object-oriented, spatial, object-relational or hierarchical. 

Instead of, or in addition to, those organization approaches discussed above, 
certain embodiments may use other storage implementations such as hash tables or flat 

25 files or combinations of such architectures. Such alternative approaches may use data 
servers other than database management systems such as a hash table look-up server, 
procedure and/or process and/or a flat file retrieval server, procedure and/or process. 
Further, the SDS may use a combination of any of such approaches in organizing its 
secondary storage architecture. 

30 The hardware components may each have an appropriate operating system such 

as WINDOWS/NT, WINDOWS 2000 or WINDOWS/XP Server (Microsoft, Redmond, 
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WA), Solaris (Sun Microsystems, Palo Alto, CA), or LINUX (or other UNIX variant). 
In one preferred embodiment, the devices 210A-D and/or host system 220 include a 
LINUX (or other UNIX variant) operating system; although other embodiments may 
include a WINDOWS/XP (or other WINDOWS family) operating system. 
5 Depending upon the hardware/operating system platform of the overall 

environment, appropriate server software may be included to support the desired access 
for the purpose of configuration, monitoring and/or reporting. Web server functionality 
may be provided via an Internet Information Server (Microsoft, Redmond, WA), an 
Apache HTTP Server (Apache Software Foundation, Forest Hill, MD), an iPlanet Web 

10 Server (iPlanet E-Commerce Solutions - A Sun - Netscape Alliance, Mountain View, 
CA) or other suitable Web server platform. The e-mail services may be supported via 
an Exchange Server (Microsoft, Redmond, WA), sendmail or other suitable e-mail 
server. Some embodiments may include one or more automated voice response (AVR) 
systems that are in addition to, or instead of, the aforementioned access servers. Such 

15 an AVR system could support a purely voice/telephone driven interface to the 

environment with hard copy output delivered electronically to suitable hard copy output 
device (e.g., printer, facsimile, etc.), and forward as necessary through regular mail, 
courier, inter-office mail, facsimile or other suitable forwarding approach. 

Some preferred embodiments of the present invention include sensor devices 

20 230A, 230B of a form such as depicted in FIGs. 7A-C. FIG. 7A depicts a sensing 
device having combined functionality of an access point and sensor. The device 
includes a transceiver antenna 705 and a sensing antenna 710. The transceiver antenna 
705 allows receipt and transmission of wireless signals according to a predetermined 
protocol such as a variant of IEEE 802.1 1 . Wireless stations associate with the active 

25 radio (transceiver antenna) which connects through port 720 to a wired network such as 
a network interface to a local Ethernet and/or to a further wireless network (transceiver 
not shown), a modem allowing connection to a network or direct connection to a host 
system or peer system or combinations thereof The sensing antenna 710 allows 
reception of wireless signals according to the protocol without impacting performance 

30 of transceiver. The sensing antenna 710 receives all wireless signals in parallel with 
the transceiver antenna 705. The sensor can further include local data storage 715 that 
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serves as the SDS, or a portion thereof This local storage 715 contains any necessary 
operating code and/or data such as accumulated security data, network configuration 
data, sensor identification information and/or network communication related data. 
This local storage typically include DRAM, FLASH memory or combinations thereof 
5 The sensor can further include a local processor 725 that serves as the system 

processor, or a portion thereof This local processor 725 supports communication 
management and security collection, and in some embodiment security analysis, 
functionality. The local processor can be any microprocessor, ASIC, FPGA or 
combination thereof that has the computing power capable of managing the two 

10 wireless components 705 and 710 and the auxiliary components of the device (e.g., 
local storage 715, network interface 720, etc.); for example, a Pentium I Class 
microprocessor (Intel) or faster is capable of managing the computing needs. The 
device will also include a connection to a power source such as depicted alternating 
current (AC) interface 730 although other embodiments could in addition, or instead, 

1 5 include a power over Ethernet compatible interface or a repository for one or more 
disposable and/or rechargeable batteries. 

FIG. 7B depicts a stand-alone sensor embodiment. In this embodiment, a 
wireless transceiver for supporting access point functionality is not included. The 
description above with respect to FIG. 7A provides description of the like numbered 

20 components in FIG. 7B. This embodiment includes a further communication interface 
735. This additional interface can be used to connect further devices such as a standard 
access point. This would be useful for installing a sensor at a location with an existing 
access point without having to run another network line. Any data sent outbound from 
the device connected.to interface 735 would be forwarded via network interface 720. 

25 Any data received at network interface 720 directed to the device would be forwarded 
via interface 735. 

FIG. 7C depicts a modified access point embodiment. In this embodiment, a 
separate antenna is not provided for parallel monitoring of wireless signals. Instead, 
wireless transceiver 705 is responsible for both access point and signal monitor 
30 functionality. This functionality can be implemented in software or hardware of the 
local processor 725, or as a modified logic within the transceiver itself. This 
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embodiment has the advantage that existing access points with sufficient local 
processing capability can be modified through either a hardware addition or a software 
upgrade to support the monitoring capability. One disadvantage is that the original 
access point may not have been intended to support both functionality and, therefore, 
5 access point functionality may be degraded in some instances. 

As previously described, the sensors 230A-B and/or devices 210A-D in some 
embodiments collect and forward security related data to a host system 220 for further 
processing and analysis. Some such embodiments provide for local processing of 
security data. FIGs. 8A-B are flow charts depicting an exemplary security data 

10 collection process performed according to the present invention. In some 

embodiments, this process can be executed by sensors 230 A-B and/or devices 210A-D. 

In some particular embodiments using an 802.1 1 compatible network, the 
hardware sensors read 802.1 1 radio waves and strip management and control frames, 
aggregate statistics and send collected information to a backend server. A hardware 

15 sensor can have several embodiments. Three embodiments such as depicted in FIGs. 
7A-7C would be a stand-alone hardware sensor (FIG. 7B), a combination 802.1 1 
Access Point/hardware sensor (FIG. 7A), and a modified 802.1 1 Access Point capable 
of stripping management and control frames and sending them back to a central server 
for analysis (FIG. 7C). 

20 A hardware sensor will typically include at least one 802. 1 1 radio capable of 

reading 802.1 1 radio waves. To provide functionality for securing a wireless network, 
the hardware sensor strips 802. 1 1 management and control frames off of wireless data 
transmissions and sends real-time or batched data back to a centralized server (e.g., host 
system 220) for analysis and processing to determine intrusions or other network 

25 activity such as health or performance monitoring or performing such analysis and 
processing locally in peer-to-peer configurations. 

In the three above mentioned embodiments, the stand-alone hardware sensor 
would have an 802.1 1 radio operating in "promiscuous mode" in order to be 
undetectable from the airwaves and still read all 802.1 1 network traffic. In operating in 

30 promiscuous mode, the hardware sensor would not be able to transmit data such as 

beacon management and would be in a read-only operation mode. The sensor software 
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embedded on the device would read 802.1 1 frames from the wireless network and 
interrogate them to strip the management and control frames from the data frames, 
collect the data and send it to the back-end server. The process to collect the data in 
one preferred approach is as follows: 
5 The physical hardware powers up and loads the operating system (preferred OS: 

Real-Time Linux or RTOS) to an operational state, step 800. The first-time execution 
of the sensor process after power up (step 805), a timer is initialized for management 
and control frames buffering (step 810). The timer allows the management and control 
frames to be buffered until the timer reaches a predetermined elapsed time, at which 

10 point they will be forwarded to a server or peer for processing or processed locally. 

Although other embodiments can forward unbuffered management and control frames 
and would therefore not require a timer, or any process steps involving the timer. 

A wireless packet frame is then read from the wireless network, step 820. 
Frames are read so that the frame content can be interrogated in down-stream 

1 5 processes. This is also the entry point 8 1 5 in the process for retrieving the next frame 
after interrogation of the present frame. 

The packet frame read off the wireless network is interrogated to determine if 
the frame is of a redundant type such as management or control frames, step 825. If the . 
frame is of a redundant type, processing continues at entry point 830 in FIG. 8B. 

20 Management and control frames are broadcast more frequently than data frames and are 
protocol specific. Further interrogation of a management or control frame is performed 
to determine whether the frame is a redundant type frame (i.e., Beacon Frame), step 
855. If not, control passes back to entry point 815 in FIG. 8A. Management and 
control frames such as beacon frames are broadcast more frequently than data frames 

25 and can be buffered as one record with a frame count and to reduce the traffic on the 
network as frames are transmitted to the server or to a peer or to reduce overhead of 
local processing. The buffering can be accomplished by maintaining a frame count for 
the particular type of redundant frame (step 860) and populating an appropriate data 
structure based upon the redundant frame type (step 865). If an appropriate time 

30 interval has elapsed or if a particular time has been reached (step 870), or if no 

buffering is intended, processing proceeds to entry point 845 in FIG. 8 A for forwarding 
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of the redundant frame information to the central server or peer or for local processing 
depending upon the particular embodiment. If the timer does not trigger transmission 
or processing, processing continues at entry point 815 for retrieval of the next frame in 
FIG. 8A. 

5 If the frame is not of a redundant type, processing continues at step 835 where 

the header data is stripped from the wireless packet frame. The header data is used to 
get origin/destination data as well as for maintaining state. 

In step 840, a data structure is populated with pertinent information concerning 
wireless station state and protocol activity as well as origin and destination information 
10 for later down-line processing by a backend analysis server, by a peer or a local 
processor. 

Once data is accumulated and preprocessed by the remote sensor, the resulting 
data structures are passed back to the central server or a peer over IP or locally 
processed for intrusion detection analysis (step 850). The process continues at entry 

1 5 . point 815 with the retrieval of the next frame. 

The embodiment of a combination hardware sensor and access point, one 
802.1 1 radio would operate as a normal 802.1 1 access point operating in infrastructure 
mode that would allow wireless stations to associate and pass data through to the wired 
network. The additional 802.1 1 radio would operate in promiscuous mode just as a 

20 stand-alone hardware sensor would operate. This would give the device the ability to 
send and receive data as a normal 802.1 1 access point while utilizing the additional 
radio to monitor the airwaves against intrusions and monitor the wireless network for 
performance and health monitoring. 

The embodiment of an access point modified to provide monitoring capability 

25 would utilize a single 802.1 1 radio to send and receive data with wireless stations but 
would utilize an SNMP mechanism to send traps back to a back end server when events 
occur such as intrusions or attacks against the access point. This method is not as 
effective as the previously mentioned embodiments but can provide additional 
information that is not collected by standard operating access points. 

30 In one preferred embodiment, devices 210A-D and host system 220 can be 

configured locally or remotely, and configuration can occur through an interactive 
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interface and/or through a command line interface. The interactive interface is 
accessible locally whereas the command line interface is accessible either locally or 
remotely. Remote access is preferably granted through the use of a secure shell (SSH) 
client communicating with an SSH server running on the device or host system. 
5 Wireless Network Topology Mapping and Visualization 

Management of a wireless network differs in many ways from the management 
of a wired network. One important difference is the more dynamic nature of nodes 
(computers,PDAs, 802.1 1 cell phones,etc) in the network. In a wired network, 
connections to the network occur only at fixed locations. In a wireless network, nodes 

10 are not tied to physical connectivity to the network; a wireless network has no 
traditional boundaries and its topology can change at a fairly high rate. 

This dynamic change is due to the ability of wireless network users to roam 
across multiple networks as well as the ability of modern wireless protocols to support 
instantaneous creation of ad hoc networks. Additionally, due to the nature of wireless 

1 5 RF transmission, connectivity may vary much more dynamically than in a wired 
network. This is due to physical channel variations such as noise, multipath, 
transmission obstacles, etc. that are not typically a factor in wired networks. Given 
these features, the connectivity patterns and network topology can change from 
moment to moment. 

20 FIG. 9 depicts a process that supports the capture, and in some embodiments 

visualization, of a wireless network topology over time. This mechanism utilizes the 
stateful analysis capabilities of the network behavior engine to capture and track the 
connectivity patterns of users and the networks that are established over time. 

The monitoring process is initialized in step 910. Network data is accumulated 

25 over a defined time period (an epoch or interval) by processing network data in step 
920 until an epoch is complete as determined in step 930. This epoch may vary in 
length depending upon the depth of analysis and state accumulation desired. In any 
case, at the end of an epoch, statistical and state analysis is performed on the 
accumulated data in step 940. In step 950, topology data is generated and/or updated 

30 from the network data and/or data generated in step 940. 
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This data accumulation process (steps 910-940) can be the same monitoring 
process as depicted and described herein below with respect to FIG. 4. Initialization in 
step 910 can include the FIG. 4 configuration process as previously discussed. In such 
case, topology updating 950 would occur concurrently with, before or after the statics 
5 update step 470. In some such embodiments, the multidimensional IDS process step 
435 can include testing for various departures from topology expectations. 

Step 960, topology analysis may occur automatically after each epoch; 
alternatively, progression to step 960 may only occur as a result of an on-demand 
inquiry from a user or another system. In either case, the topology data can be analyzed 

10 in several ways. 

For analysis purposes, this topology can then be represented mathematically as 
a graph, with a set of nodes and edges interconnecting the nodes per the observed 
pattern. This generated topology can also be further processed to generate a 
visualization or to compare with a prior network topology to evaluate potential security 

15 and/or policy violations. The topology comparison in some embodiments could include 
rules-based comparison for potential security and/or policy violations. In addition, or 
instead, the topology could be subject to a pattern matching-based comparison to 
identify a topology state that violates security and/or policy constraints. Any suitable 
pattern matching approach could be used; in some instances, neural networks, lexical 

20 analysis and/or bit masking could be included as part of such pattern matching. 

Through collection of state information related to activity, usage and connectivity 
patterns, the topology can be constructed and updated over time as new state 
information is collected by the system. Additional information also includes device 
identity and classification, allowing each node in the network to be represented in terms 

25 of its capabilities, its state and its usage patterns. Further, these patterns can also be 
analyzed via a number of mechanisms including pattern matching to discriminate 
between normal and anomalous activity. 

The analyzed topology data is then output in step 970. This topology 
information can be output as a visualization in some embodiments through the use of 

30 graphical representations with encodings for state, traffic, security; and connectivity. 
FIGs. 12 A, 12A1 and 12B depict an example visualization interface showing a tracked 
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topology. In such embodiments employing a graphical representation, color of various 
graphical items can be used to convey additional information regarding the state, 
traffic, security and connectivity of particular devices represented by the graphical 
items. 

5 In one particular embodiment as depicted in these figures, the colors have 

prescribed meanings as follows for sensors, access points/bridges and stations: 

Sensors: Sensors can be blue, green or red and can have the letters L, S, LL, 
SS, SL, or LS. L means locked on channel, and S means scanning channels. The 
single versus double letters is for the two different types of hardware. 
10 • Blue - Default Sensor that is a placeholder for imported/manual added 



devices that have not been observed yet. 



Green - Sensor is online. 



Red - Sensor is off-line. 



Access Points/Bridges: Access Points and bridges can be blue, green, red, or 



15 



gray. 



Blue: manually added or imported into the system but has not been 
observed yet 



Green: authorized 



Red: unauthorized 



20 



• Gray: ignored 

Stations: Wireless stations can be blue, green, red, gray, purple or orange. 



Stations can also have a W in them if they are on a watch list. 

• Blue: manually added or imported into the system but has not been 



25 



observed yet 

• Green: authorized on the access point (could be current state or historical) 

• Red: unauthorized on the access point (could be current state or historical) 

• Gray: ignored 

• Purple: unassociated wireless station 

• Orange: adhoc station 



ATI-2076666vl 



23 

ATTORNEY DOCKET NO. 093615600012 

In addition to, or instead of, a visualization output, an alert could be generated if 
a topology violation were detected as a result of the analysis. Such a notification could 
be in the form of a communication to a user and/or another system as described in 
further detail below with respect to alerts. 
5 Access Point Configuration 

In some preferred embodiments of the present invention, an interactive interface 
is provided for configuring the access point and various hardware components and 
supplying a variety of configuration data including thresholds values of various kinds. 
In one preferred embodiment, an administration program area provides such an 
10 interface and allows: 

o definition and configuration of access point settings and policies; 
o definition of authorized user identities and authorized types or modes of 
behavior 

o creation and/or designation of thresholds used to trigger 
1 5 intrusion/detection alarms for authorized access points; 

o creation and/or designation of default thresholds used to trigger 
intrusion/detection alarms for non-authorized access points; and 
o configuration of settings for the various hardware/software components. 
The administration program area, in one preferred embodiment, offers standard 
20 windowing interface featuring tabbed pages for easy navigation between configuration 
functions. From within each of the tabbed pages, an Edit button allows modification of 
the values. After editing the data, Accept temporarily saves the changes. Commit 
permanently saves and applies edits (until edited again). Accepted changes persist until 
the system is restarted whereas committed changes persist until across restarts. 
25 One preferred embodiment automatically attempts to detect and record all the 

configured properties for all access points it observes. The settings constitute access 
point "policies"— when access point properties deviate from those recorded, one or more 
alarms can be generated. The values for an access point can be modified manually to 
alter the generation of specific alarms. Policies for off-line access points can also be 
30 created in some embodiments using an Add feature. 
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The table below provides a summary of several access point properties 
displayable and/or configurable in some preferred embodiments of the present 
invention. 



v aiues 


i/escripiion 


Access Point ID 


The MAC address of the access point. 


Access Point Name 


The user-defined name of the access point. 


Extended Service 
Set ID 


The name of the Extended Service Set indicating the wireless 
network to which the access point belongs. 


Access Point 
Vendor 


The manufacturer of the access point. In some embodiments, this 
is detected by comparing the first three bytes of its MAC address 
with a database of OUI numbers. 


Supported Rates 


The data transfer rates the access point supports. In some 
embodiments, this value (or these values) can be edited to specify 
the supported rates. 


Authentication 
Modes 


Whether the access point accepts non-authenticated network 
connections and/or also accepts shared key authentication. (If 
connections are detected that deviate from either of these settings, 
an alarm can be generated.) 


Configured to Run 
WEP 


w neiner or not me access poinx is conngureu iu ret[uirc/ w rjr 
encryption. 


AP Mgmt From 
Wireless Network 


Whether the access point is configured to allow users to directly 
administer its settings over the wireless network. 


Authorized Access 
Point 


Whether this access point is authorized to be present in the air 
space. Unauthorized access points, when detected, can generate 
alarms. (In some embodiment, a change in this value will not take 
effect until the system is restarted.) 



For each access point, a station maintenance screen or menu may allow the 
specification of the stations that are authorized to use it. One preferred embodiment of 
such a screen or menu, automatically detects all stations within the footprint of the 
access point's Basic Service Set (BSS) and enters their MAC addresses in an Observed 
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column. Such stations can be indicated as an authorized member of the BSS by 
selecting them in the Observed column and designating them as Valid. Designated 
stations are moved to a Valid column. (Stations can, in some embodiments, be 
designated as invalid by selecting and marking them in the Valid column.) Stations not 
5 auto-detected can be manually entered by specifying its MAC address in a Enter New 
Station input field and triggering an Add Station feature. Authorization of stations can 
also be done via file import, access control server export or via direct configuration 
through a typical access point configuration and management port. 
Access Point Threshold Configuration and Aggregate Station Thresholds 

10 Systems and methods according to the present invention generate alerts if 

network traffic that exceeds thresholds is detected. In one preferred embodiment, all 
detected or manually configured off-line access points are listed in a Select AP pick 
list. Thresholds associated with each access point in the pick list can be edited by 
selecting the particular access point. Such threshold values can be either temporary 

15 (until the next restart) or persistent across restarts (until a further edit designated as 
persistent). 



Values 


Description 


Signal Strength 
Threshold 


If the signal strength for any station in the BSS is lower than this 
value, an alarm can be generated. 


# of Associations 
per Minute 


Enter the maximum number of associations per minute to allow with 
all stations combined. (Preferably, this value is not higher than twice 
the number of stations in the BSS.) 


# of Associated 
Stations 


Enter the maximum number of stations allowed to associate at any 
one time with this access point. The number should reflect the actual 
number of stations. If a greater number is detected, an alarm can be 
generated. 



The following table outlines a set of thresholds used in one preferred 
embodiment that refer to the network characteristics encompassing all stations and 
20 traffic in the BSS. In one preferred embodiment, special care must be taken when 
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creating the "byte thresholds" that immediately follow. Several factors govern the 
values entered for each: 

o The "transmission rate" of the access point— how much data it can transmit— 
is the first consideration. If the transmission rate is only 1 megabyte per 
5 second, the thresholds will be much lower than if the transmission rate is 1 1 

megabytes per second, 
o All four "directions" of traffic (wired to wired, wired to wireless, wireless to 
wired, and wireless to wireless) must add up to less than 100% of available 
bandwidth. Many administrators will set the individual thresholds such that 
10 their combined value is less than 80% of available bandwidth. 



Value 


Description 


# Bytes into 
doj irom 
Wired Net 


Enter the maximum number of bytes of data per minute allowed into 

fh*» T3CC Irnm tVi*» \\r\rt*A r\nrf\ rm r\i* vnnr npfwnrlf Tf* a OTPPitpr tllimher 1 <5 
LflC Dua irUIIl lilC W1ICQ UU1 HUH vJl ySJiXX lid W Ul fw. i.1 a gl&aivi 1 1 lxi iiuv^i 10 

detected, an alarm can be generated. 


# Bytes from 
BSS to Wired 
Net 


Enter the maximum number of bytes of data per minute allowed out of 
the BSS to a wired portion of your network. If a greater number is 
detected, an alarm can be generated. 


# Bytes 
between 
Stations in BSS 


Enter the maximum number of bytes of data per minute allowed to be 
transmitted within the BSS from all stations. If a greater number is 
detected, an alarm can be generated. 


# Bytes from 
Wired Net to 
Wired Net 


Enter the maximum number of bytes of data per minute allowed to be 
transmitted from a wired portion of the network to another wired 
portion of the network, using the access point as a bridge. If a greater 
number is detected, an alarm can be generated. 


Total Data 
Frames Seen 


Enter the maximum number of data frames per minute from all stations 
combined allowed to be transmitted. If a greater number is detected, an 
alarm can be generated. 


Total Mgmt 
Frames Seen 


Enter the maximum number of management frames per minute from all 
stations combined allowed to be transmitted. If a greater number is 
detected, an alarm can be generated. 
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Value 


Description 


Total Ctrl 
Frames Seen 


Enter the maximum number of control frames per minute from all 
stations combined anoweo to oe transmuted. 11 a greater numuer is 
detected, an alarm can be generated. 


Total Ad hoc 
Frames Seen 


Enter the maximum number of ad hoc frames per minute from all 
stations combined allowed to be transmitted. If a greater number is 
detected, an alarm can be generated. 



Individual Station Thresholds 

The following table outlines a set of potential thresholds applied to any 
individual station in one preferred embodiment. If any single station reaches one of 
these thresholds, an alarm can be generated. 



Column 


Description 


Signal Strength 
Threshold 


If the signal strength for any station in the BSS is lower than this 
value, an alarm can be generated. 


# of Associations 
per Minute 


Enter the maximum number of associations per minute any station 
is allowed to make with an access point. If a greater number is 
detected, an alarm can be generated. 


# of Bytes 
Transmitted 


Enter the maximum number of bytes of data per minute any station 
is allowed transmit. If a greater number is detected, an alarm can be 
generated. 


# of Bytes Received 


Enter the maximum number of bytes of data per minute any station 
is allowed to receive. If a greater number is detected, an alarm can 
be generated. 


# of Data Frames 
Transmitted 


Enter the maximum number of data frames per minute any station 
is allowed to transmit. If a greater number is detected, an alarm can 
be generated. 


# of Data Frames 
Received 


Enter the maximum number of data frames per minute any station 
is allowed to receive. If a greater number is detected, an alarm can 
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Column 


Description 




be generated. 


# of Mgmt Frames 
Transmitted 


Enter the maximum number of management frames per minute any 
station is allowed to transmit. If a greater number is detected, an 
alarm can be generated. 


# of Mgmt Frames 
Received 


Enter the maximum number of management frames per minute any 
station is allowed to receive. If a greater number is detected, an 
alarm can be generated. 


# of Ctrl Frames 
Transmitted 


Enter the maximum number of control frames per minute any 
station is allowed to transmit. If a greater number is detected, an 
alarm can be generated. 


# of Ctrl Frames 
Received 


Enter the maximum number of control frames per minute any 
station is allowed to receive. If a greater number is detected, an 
alarm can be generated. 


# of Fragment 
Frames Seen 


Enter the maximum number of fragment frames per minute from 
any station that are allowed. If a greater number is detected, an 
alarm can be generated. 


# of Decrypt Error 
Frames Seen 


Enter the maximum number of decrypt error frames per minute 
from any station that are allowed. If a greater number is detected, 
an alarm can be generated. 


Access Point Station Thresholds 

The following table outlines a set of thresholds, in one preferred embodiment, 
applied to the access point itself, and will typically be somewhat more than the 
Aggregate Station thresholds. 


Column 


Description 


Signal Strength 
Threshold 


If the signal strength for any frame is lower than this value, an 
alarm can be generated. 


# of Associations 
per Minute 


Whereas stations must associate with an access point, access points 
do not associate with themselves. Therefore, this value should be 
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Column 


Description 




zero, indicating that it does not associate. 


# of Bytes 
Transmitted 


Enter the maximum number of bytes of data per minute this access 
point is allowed to transmit. If a greater number is detected, an 
alarm can be generated. 


# of Bytes 
Received 


Enter the maximum number of bytes of data per minute this access 
point is allowed to receive. If a greater number is detected, an alarm 
can be generated. 


# of Data Frames 
Transmitted 


Enter the maximum number of data frames per minute this access 
point is allowed to transmit. If a greater number is detected, an 
alarm can be generated. 


# of Data Frames 
Received 


Enter the maximum number of data frames per minute this access 
point is allowed to receive. If a greater number is detected, an alarm 
can be generated. 


# of Mgmt Frames 
Transmitted 


Enter the maximum number of management frames per minute this 

■ > 

access point is allowed to transmit. If a greater number is detected, 
an alarm can be generated. 


# of Mgmt Frames 
Received 


Enter the maximum number of management frames per minute this 
access point is allowed to receive. If a greater number is detected, 
an alarm can be generated. 


# of Ctrl Frames 
Transmitted 


Enter the maximum number of control frames per minute this 
access point is allowed to transmit. If a greater number is detected, 
an alarm can be generated. 


# of Ctrl Frames 
Received 


Enter the maximum number of control frames per minute this 
access point is allowed to receive. If a greater number is detected, 
an aiarm can oe generaiea. 


# of Fragment 
Frames Seen 


Enter the maximum number of fragment frames per minute this 
access point can see before generating an alarm. 


# of Decrypt Error 
Frames Seen 


Enter the maximum number of decrypt error frames per minute this 
access point can see before generating an alarm. 
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Default Threshold Information 

In one preferred embodiment, whenever a new access point is detected or 
manually entered, the specified default settings are applied until it is manually 
customized. It is assumed that new or unauthorized access points are potential hackers, 
so it is preferable to set the default thresholds fairly low. 
Aggregate Station Thresholds 

The table below outlines a set of thresholds that refer to the combined statistics 



for all stations in one preferred embodiment. 



Column 


Description 


Signal Strength 
Threshold 


Tf fhf» clonal ctr<=»n crtH frvr anv citation in thp accnrifitpd with an 
11 111C oltillu.1 olicilgui ivji any oirtiiwii in uiw djj aoouviaivu wilii <xii 

unknown access point is lower than this value, an alarm can be 
generated. 


# of Associations 
per Minute 


prpQ c ctotiAnc rniiot occAfintp \x/itVi qti qpppcc nr\int 5if*f*PQQ tinitltQ 
W IlClCda oldlivJIlo lllUol dooUwa-lC Willi dll dt^Coo puilll, av^^Coo pvjuiia 

do not associate with themselves. Therefore, this value should be . 
zero, indicating that it does not associate. 


# of Associated 
Stations 


T^nt<=»t* tVi p» maYiTYintn nnmnpr r\f* ctJitinnQ allow/pH to JicicopiAtP Wltn 
XZlllCi LllC llldAlllllliii iiuinuci ui oidiivjiio diivjwC'Vi i\j aoouviaiv wiiii 

unknown access points. The number should reflect your actual 
stations. If a greater number is detected, an alarm can be generated. 


# Bytes into BSS 
from Wired Net 


Enter the maximum number of bytes of data per minute allowed into 
the BSS through unknown access points from the wired portion of 
your network. If a greater number is detected, an alarm can be 
generated. 


# Bytes from BSS 
to Wired Net 


Enter the maximum number of bytes of data per minute allowed out 
of the BSS-through unknown access points to a wired portion of your 
network. If a greater number is detected, an alarm can be generated. 


# Bytes between 
Stations in BSS 


Enter the maximum number of bytes of data per minute allowed to be 
transmitted within the BSS from all stations through unknown access 
points. If a greater number is detected, an alarm can be generated. 


# Bytes from 
Wired Net to 


Enter the maximum number of bytes of data per minute allowed to be 
transmitted through unknown access points from a wired portion of 
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Column ] 


Description 


Wired Net 1 
] 

i 


the network to another wired portion of the network, using the access 
>oint as a bridge. If a greater number is detected, an alarm can be 
generated. 


Total Data Frames 
Seen 


Enter the maximum number of data frames per minute for all stations 
combined allowed to be transmitted through unknown access points, 
[fa greater number is detected, an alarm can be generated. 


Total Mgmt 
Frames Seen 


Enter the maximum number of management frames per minute for all 
stations combined allowed to be transmitted through unknown access 
points. If a greater number is detected, an alarm can be generated. 


Total Ctrl Frames 
Seen 


Enter the maximum number of control frames per minute for all 
stations combined allowed to be transmitted through unknown access 
points. If a greater number is detected, an alarm can be generated. 


Total Ad hoc 
Frames Seen 


Enter the maximum number of ad hoc frames per minute for all 
stations combined allowed to be transmitted through unknown access 
points. If a greater number is detected, an alarm can be generated. 


Individual Station Thresholds 

The set of thresholds outlined in the table below apply to any individual station 
in one preferred embodiment, and will typically be lower than the Aggregate Station 
thresholds. 


Column 


Description 


Signal Strength 
Threshold 


If the signal strength for any station associated with an unknown 
access point is lower than this value, an alarm can be generated. 


# of Associations 
per Minute 


Enter the maximum number of associations per minute any station is 
allowed to make with an unknown access point. If a greater number 
is detected, an alarm can be generated. 


# of Bytes 
Transmitted 


Enter the maximum number of bytes of data per minute any station 
is allowed transmit through unknown access points. If a greater 
number is detected, an alarm can be generated. 
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Column 


Description 


# of Bytes 
Received 


Enter the maximum number of bytes of data per minute any station 
is allowed to receive through unknown access points. If a greater 
number is detected, an alarm can be generated. 


# of Data Frames 
Transmitted 


Enter the maximum number of data frames per minute any station is 
allowed to transmit through unknown access points. If a greater 
number is detected, an alarm can be generated. 


# of Data Frames 
Received 


Enter the maximum number of data frames per minute any station is 
allowed to receive through unknown access points. If a greater 
number is detected, an alarm can be generated. 


# of Mgmt Frames 
Transmitted 


Enter the maximum number of management frames per minute any 
station is allowed to transmit through unknown access points. If a 
greater number is detected, an alarm can be generated. 


# of Mgmt Frames 
Received 


Enter the maximum number of management frames per minute any 
station is allowed to receive through unknown access points. If a 
greater number is detected, an alarm can be generated. 


# of Ctrl Frames 
Transmitted 


Enter the maximum number of control frames per minute any station 
is allowed to transmit through unknown access points. If a greater 
number is detected, an alarm can be generated. 


# of Ctrl Frames 
Received 


Enter the maximum number of control frames per minute any station 
is allowed to receive through unknown access points. If a greater 
number is detected, an alarm can be generated. 


# of Fragment 
Frames Seen 


Enter the maximum number of fragment frames per minute from 
any station that are allowed. If a greater number is detected, an 
alarm can be generated. 


# of Decrypt Error 
Frames Seen 


Enter the maximum number of decrypt error frames per minute from 
any station that are allowed. If a greater number is detected, an 
alarm can be generated. 
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Access Point Station Thresholds 

The set of thresholds in the table below applies to all unauthorized access points 
in one preferred embodiment. 



Column 


Description 


Signal Strength 
Threshold 


If the signal strength for any access point is lower than this value, an 
alarm can be generated. 


# of Associations 
per Minute 


Fnter the maximum number of associations r>er minute between anv 
access point and stations. (It is recommended that this value not be 
higher than twice the number of stations in your BSS.) 


# of Bytes 
Transmitted 


Enter the maximum number of bytes of data per minute allowed to 
be transmitted from any access point. If a greater number is detected, 
an alarm can be generated. 


# of Bytes 
Received 


Fnter the maximum number of bvtes of data oer minute allowed to , 
be received by any access point. If a greater number is detected, an t . 
alarm can be generated. 


# of Data Frames 
Transmitted 


Enter the maximum number of data frames oer minute allowed to be 
transmitted by any Access point. If a greater number is detected, an 
alarm can be generated. 


# of Data Frames 
Received 


Enter the maximum number of data frames ner minute allowed to be 
received by any access point. If a greater number is detected, an 
alarm can be generated. 


# of Mgmt Frames 
Transmitted 


Enter the maximum number of management frames per minute 
allowed to be transmitted by any access point. If a greater number is 
detected, an alarm can be generated. 


# of Mgmt Frames 
Received 


Enter the maximum number of management frames per minute 
allowed to be received by any access point. If a greater number is 
detected, an alarm can be generated. 


# of Ctrl Frames 
Transmitted 


Enter the maximum number of control frames per minute allowed to 
be transmitted by any access point. If a greater number is detected, 
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Column 


Description 




an alarm can be generated. 


# of Ctrl Frames 
Received 


Enter the maximum number of control frames per minute allowed to 
be received by any access point. If a greater number is detected, an 
alarm can be generated. 


# of Fragment 
Frames Seen 


Enter the maximum number of fragment frames per minute allowed 
ior any access point. 11 a greater nuniDer io ucicc-icu, <ui dicuni ccui uc 
generated. 


# of Decrypt Error 
Frames Seen 


Enter the maximum number of decrypt error frames per minute 
allowed for any access point. If a greater number is detected, an 
alarm can be generated. 



Some embodiments may allow for self-configuration of some or all of the 
thresholds discussed above. Such self-configuration could occur through a learning 
mode in which the systems and methods according to the present invention monitor 
5 traffic on the wireless computer network for the first several hours or days after 
installation. In such a learning mode, alarm notifications can be disabled. It is 
expected that, in the beginning, the generation of alarms will be very high— hundreds or 
thousands per day depending on actual network traffic— until thresholds in accordance 
with the network's normal activity are determined. Once an accurate picture of normal 

10 network traffic has been captured, and thresholds are reflective of normal activity, a 
switch to normal operations mode enables alarm notifications. 

In one preferred embodiment, a command line interface is provided to configure 
settings that are not available within the graphical user interface. For example, the IP 
address of a hardware component can be changed, its system clock reset or set to 

15 "sync" with a network time server. In other embodiments, the graphical user interface 
and/or the command line interface can allow significant overlap of configuration 
capability. Further, some embodiments have only one or the other interface type. 
Finally, some embodiments provide no interactive interface for configuration and are 
limited to reading configuration data from a file, deriving configuration data from past 
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monitoring of the wireless computer network or otherwise receiving this data. The 
command line interface in one preferred embodiment can be accessed either on the 
hardware component such as through a command shell such as the Linux Gnome 
Terminal or over the network using an SSH (preferably, version 2) client. 
5 In one preferred embodiment, a command shell automatically opens on the 

hardware component after booting. A terminal icon can appear on the task bar at the 
bottom of the display; clicking the icon opens additional terminal windows. At the 
command line prompt, a command is entered to launch the command line interface. 
An SSH client is launched and connected to the hardware component's IP 
10 address. The identity of the user making the connection is verified. At the command 
line prompt, enter the following command to launch the command line interface: 
Command Line Interface 

In one preferred embodiment, the screen displays in the terminal window 
provide five "program areas": 
15 o Network— offering options to change IP address, DNS servers, hostname, 

domain name, mail server, ARP, and create "allow" and "deny" lists. 
© Date— allowing time and date editing, time zone setting, and configuration of 
an NTP server. 

o Service-providing tools to fine-tune the hardware component parameters, 
20 configure data management, and reboot and shut down the component. 

© Users— allowing creation, editing, and deletion of user accounts allowed 

access to the graphical user interface, 
o Help— tips on using the application, and detailed help topics. 
Network 

25 Opening the network settings program area, the following commands are 

available in one preferred embodiment: 



Command 


Description 


IP 


IP address config 

Allows modification of the IP address, Subnet mask, and default gateway 
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Command 


Description 




for the hardware component logged onto. 

The "IP configuration" screen opens, displaying the current network 
configuration and allows modification. 


DNS 


Define DNS servers 

Adding or deleting a DNS nameserver. 

The "Nameserver screen" opens, displaying your current DNS server's IP 
address and allows addition, deletion and modification. 
Note: Multiple DNS servers can in some embodiments have an "order" for 
processing DNS requests. The first server on the list (identified by the 
numeral 1) is the first to offer name resolution; the second server on the list 
(identified by the numeral 2) is the second to process the request if the first 
is unable to do so. In order to change the order preference of multiple 
servers, all must be deleted and re-entered in the desired order for them to 
process DNS requests. 


HNAME 


Set hostname 

Changing the name of the hardware component. The Hostname screen 
displays your current hostname and allows modification. 
Bear in mind that whenever the hostname is changed, its name must also be 
modified in all devices that refer to it (e.g., DNS servers). 


DNAME 


Set domain name 

Changing the domain to which the hardware component belongs. The 
Domain name screen displays your current domain name and allows 
modification. 

Bear in mind that whenever the domain name is changed, it must also be 
modified in all devices that refer to it (e.g., DNS servers). 


MRELAY 


Config mail relay host 

Configuring a hardware component to send alarms by email. The Mail relay 

host screen appears and allows entry of qualified hostnames. 

In one embodiment, mail relay hosts may be referred to by IP address or 
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Command 


Description 




fully qualified hostname (e.g., myhostname.mydomainnamexom) of a mail 
server to process email alarm messages. 

Note: the mail server must be configured to allow this appliance to relay 
email through it, or at least to direct its mail to another mail server that will 
relay it. 


ARP 


Config permanent ARP table 

Creating a permanent ARP table. The ARP table screen displays your 
current ARP records and allows modification. 

In order to protect connections between this hardware component and 
remote administrators from being hijacked by man-in-the-middle ARP 
"blasts" (that redirect traffic for this IP address to an alternate MAC 
address), it is preferable to create permanent ARP records for gateways and 
other important machines. 


HALLOW 


Configure /etc/hosts.allow file 

Specifying which machines are allowed to connect to the hardware 
component. The Allow list screen displays your current list of allowed 
machines and allows modification. 

Machines allowed to connect to this hardware components can be specified. 
Only those whose IP address, subnet, fully qualified hostname, or domain 
name match an entry in this list are allowed to connect to this hardware 
component to run the available administrative programs and routines. 


HDENY 


Config /etc/host.deny file 

Identifying machines that may not connect to the hardware component. The 
Deny list screen displays your current list of denied machines and allows 
modification. 

Machines not allowed to connect to this hardware component can be 
specified. Anyone whose IP address, subnet, fully qualified hostname, or 
domain name matches an entry in this list are not allowed to connect to this 
hardware component 
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Command 


Description 




Note: HALLOW, in one preferred embodiment, takes precedence over 
HDENY. For example, if 123.456.789.963 is on the allow list, yet the 
subnet 123.456.789. is on the deny list, the individual machine above is 
allowed to connect to the appliance. 


Date 

Opening the date settings program area, the following commands are available 
in one preferred embodiment: 


Command 


Description 


TIME 


Time/Date config 

Allows configuration of the time/date for the hardware component. 


TZ 


Set time zone 

Allows configuration of the time zone for the hardware component. 


NTP 


Enable/disable NTP 

Allows configuration of the hardware component to use a network time 
server. 



Note: If you change the system time because, for example, you move the 
5 appliance's location from the east to west coast of the United States, you must also 
locate a new network time server in the same time zone. 



Services 

Opening the set appliance parameters, configure data management, and restart 
or shutdown the system area, the following commands are available in one preferred 
10 embodiment: 



Command 


Description 


TUNE 


Tune appliance parameters 

Allows users to modify some of the core values related to the environment's 
functionality. 


DMGT 


Data management 

Allows users to modify how the environment stores its data. 
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Command 


Description 


REBOOT 


Reboot system 

Allows graceful restart of the hardware component. 


HALT 


Halt system 

Allows graceful shutdown of the hardware component. 



Users 

Opening the Users program area, the following commands are available in one 
preferred embodiment: 



Command 


Description 


NEWU 


Create user 


EDITU 


Edit user 


DELU 


Delete user 



The functionality of these features can in one preferred embodiment match with 
5 like functionality provided in a standard LINUX user management facility. 

Various methods and functions as exhibited in various embodiments according 
to the present invention are described above and below with respect to network security 
enhancement. In some embodiments, one or more processors within architectures of 
the environments as described above may execute the steps in such methods and 

10 provide such functionality. The functionality may spread across multiple processing 
elements. In other embodiments, any suitable computer readable storage device, media 
or combination of devices and/or media, including primary storage such as RAM, 
ROM, cache memory, etc. or secondary storage such as magnetic media including fixed 
and removable disks and tapes; optical media including fixed and removable disks 

1 5 whether read-only or read- write; paper media including punch cards and paper tape; or 
other secondary storage as would be known to those skilled in the art, may store 
instruction that upon execution by one or more processors cause the one or more 
processors to execute the steps in such methods and to provide such functionality. 
Vulnerability Assessment and Threat Identification 

20 Vulnerability assessment is accomplished by analyzing WLAN traffic, and 

discovering access points and workstations. The system determines how many bytes of 
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data stations are sending and receiving, the mean signal strength for an entire day or the 
hi/low signal strength for each minute. It can distinguish between network traffic 
internal to the wireless network and traffic originating from or destined to the physical, 
wired-network and which stations are the largest senders and receivers of data. The 
5 system produces broad summaries of data that report high, low, and mean values for a 
variety of traffic parameters, and detailed views that show minute-by-minute snapshots 
of your traffic. Traffic parameters include the breakdown of frame traffic (control, 
management, data, and error frames) and network routing information. The system 
determines if any traffic has not been encrypted, users are authenticated, and all 

10 hardware is properly configured. The system detects rogue deployments by identifying 
and locating unauthorized WLANs and ad hoc networks (peer-to-peer networks) that 
violate company policy and jeopardize security. The system identifies suspicious 
WLAN traffic across unauthorized channels and frequencies, which can be a common 
sign of intruders accessing your WLAN or employees abusing their network privileges. 

15 The systems and methods according to one preferred embodiment use an audit 

of existing wireless hardware and perform a survey the air space surrounding the 
wireless network prior to activating intrusion detection. In this way, a baseline activity 
level can be determined. 
Step 1: Hardware Audit 

20 Identify every access point in the wireless computer network. Obtain or 

determine for each its MAC address, Extended Service Set name, manufacturer, 
supported transmission rates, authentication modes, and whether or not it is configured 
to run Wired Equivalent Privacy (WEP) and wireless administrative management. In 
addition, identify every workstation equipped with a wireless network interface card, 

25 and record the MAC address of each device. Take note of any physical features in the 
environment (walls, competing electronic devices such as microwave ovens, cordless 
phones, etc.) that might interfere with wireless signals. 

The hardware audit serves as the baseline against which the systems and 
methods according to the present invention can compare. That is, all access points and 

30 wireless stations should be detected by the various embodiments of the present 

invention. (If an access point or station is not detected, follow logical troubleshooting 
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steps.) On the other hand, it is likely that more devices than expected will be detected. 

Some of these may be stations or access points not identified or of which no one was 

aware. Others may be "rogue" devices— surreptitious or unauthorized installations in 

the network—or harmless equipment belonging to nearby companies, and others may be 
5 actual hackers. Once the systems and methods according to the present invention are in 

intrusion detection mode, all detected access points and stations can be reported. 

Step 2: Survey Perimeter 

Preferably a mobile hardware component according to the present invention is 

walked around the perimeter of the wireless computer network in a powered up state 
10 (allowing it to collect data as it is moved), or placed in a central location for .12 to 24 

hours to collect a larger amount of data. The benefit of a "walk-around" survey is that 

it generates a nearly immediate picture of the existing wireless "air space." The benefit 

of a "stationary" survey is that over a longer period of time, is greater certainty of 

detecting devices that only operate intermittently or hackers attempting to penetrate the 
15 network off-hours. Repetition of the survey, whether walking or stationary, should 

occur on all 1 1 channels. 

Stationary Data Collection 

Depending on the size of the wireless network, a hardware component can be 

placed at the four corners or at intermediate points in the Extended Service Set 
20 footprint. At each location, the component should be allowed to passively monitor 

network traffic for 12-24 hours. Hard copy of network data should be preserved prior 

to each move. 

Walk-around Data Collection 

Simply walk around the perimeter of the wireless network with the hardware 
25 component powered on and open to an overview screen. The various access points and 

stations within the wireless computer network can be detected. Compare this 

information with the hardware audit made prior to collecting this data. Repeat this 

walk-around survey for each of the eleven channels. 

Step 3: Configure to "Recognize" this Network 
30 Each access point detected should be designated as authorized or unauthorized. 

Each observed station should be designated as valid or not. 
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Step 4: Place hardware components in discrete locations throughout the wireless 
network. 

Leave a component in each location from 1-3 days. Each day, print reports to 
preserve captured information. Based upon this information, specific access point and 
5 station related thresholds can be tuned to distinguish between normal and abnormal 
traffic patterns. 

The intrusion detection system (IDS) engine listens to wireless network traffic. 

FIG. 3 depicts one preferred process the EDS follows in evaluating data associated with 

received traffic. In the depicted exemplary process, all packets pass through four 
10 detections systems: signature-based testing, protocol-based testing, anomaly-based 

testing, and policy deviation-based testing; other embodiments may use one or more of 

these tests, or other tests, in varying combinations. 

Initially, configuration information is received in step 305, typically including 

network default data and risk criteria. This information can be retrieved from a file, 
1 5 derived or obtained from monitoring the network and/or entered interactively at the 

outset of the process. The system reads or receives frames from the wireless network 

instep 310. The received frames are interrogated as follows. 

The information within the frame is interrogated to determine if a known attack 

signature has been identified in step 325. Signatures encode datalink layer attack 
20 patters as combinations of packet sequences and state. For example, active probing 

emits a pattern or sequence of network requests. This sequence can be recognized by 

its packet sequence signature. If the attack signature is identified, the intrusion 

detection system signals an alarm manager to deliver an alert to the administrator in 

step 345. 

25 If no attack signature is identified, the frame information is passed through a 

protocol violation engine to determine if the protocol used in the frame is authorized in 
step 330. Protocol analysis examines whether or not protocol usage is legitimate. For 
example, emitting a large number of association or disassociation requests in a short 
interval is not a legitimate use of the protocol. If the protocol used in the frame is 

30 outside of the authorized protocol set, the intrusion detection system signals an alarm 
manager to deliver an alert to the administrator in step 345. 
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If the protocol test passes, in step 335, the IDS checks the frame data for 
statistical anomalies against the SDS, or a statistics database maintained therein. 
Anomaly based detection computes such values as the mean, non-zero mean, standard 
deviation, autocorrelation and peak for each time slice throughout the day. This can be 
5 used to create a normalized statistics database for each time slice and user. Current 
activity is then monitored and compared with the recorded statistics vector. If the 
difference is larger than a configurable threshold, an alert is generated. Instead of, or in 
addition to, this approach, a Bayes test can be applied to deduce the probability that the 
current statistics vector is an attack as opposed to a legitimate sequence. If an anomaly 

10 exists, the intrusion detection system signals an alarm manager to deliver an alert to the 
administrator in step 345. 

If no anomaly is detected, the system interrogates the frame to determine if a 
pre-defined policy has been violated in step 340. Policy testing compares the observed 
activity with a configurable set of activity rules stored in the SDS. For example, a rule 

15 can declare that only specific hosts with specific addresses and specific network cards 
can access the network. If a pre-defined policy has been violated, the intrusion 
detection system signals an alarm manager to deliver an alert to the administrator in 
step 345. 

The tests outlined above and depicted in FIG. 3 are performed serially. In other 
20 embodiments, one or more of these tests may occur in parallel. Further, subsequent 
tests only occur if a prior test was passed. In a further preferred embodiment, all tests 
occur irrespective of the outcome of a prior test; consequently, a single read frame 
could potentially generate an alarm for every test performed on it. 

Alerts can be in the any suitable form delivered to any suitable platform 
25 including, without limitation, a screen display to a monitor, a page to a pager, an 
outgoing voice call to telephone, a SMS message to a mobile telephone, an e-mail 
message to a valid address, posted to a Web page available via an appropriate Web 
server or WAP alert to a WAP enabled device. Various types of screen displays and 
reports may be used to provide information regarding generated alarms. 
30 In one preferred embodiment referred to as AirDefense Mobile in U.S. 

Provisional Patent Application Serial Number 60/381,829 entitled "SYSTEMS AND 
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METHODS FOR NEWTORK SECURITY" filed May 20, 2002, preferred interfaces 
for reviewing and reporting alarms are described in detail. The contents of this 
application are hereby incorporated by this reference herein for all purposes. 

In some embodiment, the outputs of all IDS test are then compared and a 
5 confidence level computed in step 345. In one such embodiment, in the case where 
only a statistical anomaly is detected, it is flagged as a lower level performance alert. 
In the case where one or more other violations are detected, the alarm is elevated to an 
intrusion alarm. 

Some embodiments may use a variety of data stores in implementing the above 
10 process to track data across multiple iterations of the process; such data stores can in 
one preferred embodiment be part of an SDS as described above. Some such 
embodiments can include a statistics database, a station database and/or a state data 
store. In such embodiments, some or all of the following steps depicted in FIG. 3 can 
occur. 

15 In step 3 15, a station database is updated. This database contains, in one 

preferred embodiment, per station and per access point records with information 
describing device address, communications state, timestamps of first and last activity, 
counts of byte transmissions and local policy information describing whether device is 
authorized or not for usage in the monitored network. 

20 In step 320 state information is updated. State refers to whether or not the 

device has been seen before and whether or not the station is unauthenticated and 
unassociated, authenticated, authenticated and associated or unknown state information 
associated with the wireless computer network. 

In step 350, a determination is made as to whether a particular statistics interval 

25 has been complete. If so, statistics in an SDS are updated in step 355, and processing 
continues with the next frame in step 310. Otherwise, processing simply continues in 
step 310 with the next reading or receiving of a frame. 

A modified and enhance version of the above approach is used where network 
traffic is monitored from multiple input devices such as with the embodiments depicted 

30 in FIGs. 2B-E. FIG. 4 depicts this enhanced process starting at step 405. 
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Step 410 is analogous to step 305 from the process of FIG. 3. In step 410, 
configuration information is received. As before, this is typically done through reading 
system configuration files, monitoring the network and/or interactive entry at the outset 
of the process. This information typically includes network default data and risk 
5 criteria such as access point configuration data (MAC Address of the access point, 
Access Point Name, etc.), station configuration data and various thresholds values. 

In step 430, a wireless packet frame is received from each input device (e.g., 
hardware components 210A-D, host system 220 and/or sensors 230A, 230B). Frames 
are read so that the frame content can be interrogated. 

10 Each read frame is interrogated by a multi-dimensional intrusion detection 

system (IDS) such as detailed above with respect to FIG. 3, and the outputs of all IDS 
tests are then compared and a confidence level computed in step 435. As with the 
process above, other tests in either alone, in combination with each other or in 
combination with one or more of those described above may be used in other 

15 embodiments. 

In step 440, in the case where only a statistical anomaly is detected, it is flagged 
as a lower level performance alert. In the case where, in addition to the statistical 
anomaly, one of the other violations has been detected, the alarm is elevated to an 
intrusion alarm and an alarm manger is alerted in step 444. Other embodiments do not 

20 rely on aggregate test outcome but determine alarm status on single test outcomes. 
Further, some embodiments can use other test types and outcome combinations to 
determine type and severity of alarms generated. 

If an alarm is not detected in step 440, a test to see if a predetermined interval 
for gathering statistics has been reached occurs in step 460. If the end of the pre- 

25 configured statistics gathering interval has occurred, the SDS is updated in step 470 to 
reflect the statistics gathered from the received frames over the interval. Statistics are 
gathered by monitoring traffic between network nodes, minute-by-minute statistics 
about BSS frame types and traffic volumes, summaries of transmission statistics for all 
stations associated with access points, current-minute transmission statistics for all 

30 Stations, and detailed minute-by-minute transmission statistics for any individual 
station in the wireless computer network. 
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Data fusion occurs on a batch basis by aggregating data from multiple 
databases. This process begins at step 414. The process integrates statistical data from 
multiple databases that is generated through frame monitoring and intrusion detection 
engines. This approach provides a methodology for managing data received from input 
5 devices such as hardware devices 210A-D and/or sensors 230A, 230B deployed at 

multiple sites and for aggregating enterprise data at a single central system such as host 
220. 

The Attack and Station Profile database is read at step 418 to begin a processing 
loop to integrate databases from separate sources. Correlation and pattern recognition 

10 is performed at step 420 to update the attack and station profiles in step 424. The 

processing loop then sleeps at step 428 until the next processing loop interval is to take 
place based on the pre-configured time interval or trigger. 

After the alarm manager is signaled in step 444, the attack and station profile 
database is read in step 448; in this step, existing attacks are queried and existing , 

1 5 station security state is queried. In step 450, this data is compared to the newly 

generated alarm. If it is sufficiently similar, no new external notification occurs in 
step 454. If it is not, a new notification message is generated in step 454 and console 
display and/or external messaging of the alarm occurs in step 458. 

In some embodiments, the scanning of air waves for network activity can be 

20 adaptive in nature. In a typical configuration, wireless network channels are scanned 
for activity according to a predefined pattern. According to an adaptive approach, the 
predefined pattern can serve as an initial and/or baseline pattern. This pattern can then 
be adapted based upon actual activity in the scanned channels. 

This mechanism allows the system to deterministically scan all wireless 

25 channels through time-based multiplexing while also allowing the system to adaptively 
adjust the time spent on a given channel based on current and past activity. A typical 
scenario would be to monitor a fixed set of channels and periodically perform a 
background scan of the remaining channels; FIG. 14 depicts an example interface for 
configuring such a baseline or default scan pattern. If any activity is observed on a 

30 channel expected to be idle or unauthorized activity is discovered, the system adapts by 
adding this channel to its primary scanning pattern. If activity then diminishes, this 
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channel will be removed from the primary scanning pattern and then scanned next 
during the background scanning mode. The system can utilize either pre-configured 
thresholds or user-entered thresholds to determine the trigger point at which to start or 
stop dynamic monitoring of the channel. Additionally, automated controls can be 
5 included that will lock onto the channel if a security violation has been detected per the 
underlying multi-dimensional analysis engine. 

With reference to FIG. 1 1, the monitoring system is initialized in step 1110. 
Initialization in step 1110 can include the FIG. 4 configuration process and/or the step 
910 initialization in FIG. 9 as previously discussed. After initialization, a primary 

10 network scan occurs according to a predetermined scan pattern in step 1115. A 
background scan can occur after each primary network scan. Alternatively, as 
depicted, a background scan may only occur based upon a particular trigger condition 
such as random determination, after a certain number of primary scan or after a certain 
time period has passed. A decision as to whether the particular condition to trigger a 

15 background scan has occurred is made at step 1 120. In step 1 125, the background scan 
occurs. A determination is then made in step 1 130 as to whether an unauthorized 
device has been detected during the background scan. If not, processing continues at 
step 1115 with a primary network scan. 

If a device was detected, the scan pattern for the primary network is adapted in 

20 step 1135. This modified scan pattern is then used for scanning the wireless channels 
in step 1 140. As above, background scans can occur after each such modified scan, or 
as depicted, can occur according to a trigger condition. In step 1 145, a determination if 
fewer unauthorized devices were identified in the modified scan. If so, a determination 
is then made as to whether any unauthorized devices are still being detected in step 

25 1 165. If no unauthorized devices are still being detected, the scan pattern is reset to the 
predetermined original scan pattern at step 1 1 70 and processing continues with a 
primary scan at step 1115. If some unauthorized devices are still being detected, the 
scan pattern is modified accordingly in step 1 135 and processing continues with 
step 1140. 

30 If fewer devices were not found in step 1 145, a determination is made as to 

whether a background scan should occur in step 1 150. If not, processing continues 
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with a further modified scan at step 1 140. If so, at step 1 155, the background scan 
occurs. A determination is made in step 1 160 as to whether a previously unidentified 
unauthorized device has been detected. If so, the scan pattern is modified accordingly 
in step 1 135 and processing continues with step 1 140. If not, the processing continues 
5 with step 1140. 

Those skilled in the art will readily appreciate that the described process is 
exemplary and that the steps described need not occur in the exact order described but 
can proceed logically in other apparent orderings. For instance, the background scan 
determination loop, in the modified scan portion of the flow could as readily occur 

10 before the fewer device determination step as after. Additional order alterations should 
be apparent and are contemplated within the scope of the present invention. 

Further, enhanced embodiments may utilize multi-channel receivers in which 
adaptive scanning may occur uniquely per receiver. This allows, for example, multiple 
channels or multiple frequency bands to be scanned and monitored in parallel. 

15 As described above, systems and methods according to the present invention 

can automatically generate alarms whenever certain events or conditions occur within 
your wireless network. In some embodiments, an alarm manager providing an interface 
for viewing can be provided; such an interface is described in greater detail in co- 
pending U.S. Provisional Patent Application Serial Number 60/381 ,829 entitled 

20 "SYSTEMS AND METHODS FOR NEWTORK SECURITY" filed May 20, 2002. 

The following table identifies the alarms, alarm subtypes and severities available in one 
preferred embodiment referred to as AirDefense Mobile. 



Alarm Type 


Alarm Subtype 


Alarm 
Level 


DoS Attack 


De-authenticate 

AirDefense Mobile detects when a hacker pretends to be an 
Access point and broadcasts a "de-authenticate" message. This 
forces all Stations to re-authenticate themselves, generating 
excessive network traffic, and causing inconsistent 
connectivity and data transfer. 


Critical 
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Alarm Type 


Alarm Subtype 


Alarm 
Level 




Disassociate 

/Yirueiense iviooiie Qeiecis wnen d ndCKer preienu.» tu uc cm 
Access point and broadcasts a "disassociate" message. This 
forces all Stations to re-associate themselves with the Access 
.roini, generating excessive nerworiv irdiiii^, diiu causing 
inconsistent connectivity and data transfer. 


Critical 


Unauthorized 
Station 


Not on allow list 

AirDefense Mobile detects a Station whose MAC address is 

not On IIS Valid llSl. \Jt\ vailU llSl lb malllldllicu uy uic oyaiciii.^ 


Critical 


Threshold 


GLB CRC errors 

AirDefense Mobile detects if CRC errors exceeded configured 
limits (CRC errors are generated when checksums fail on 
individual iraines.^ 


Major 1 




BSS assoc count 

AirDefense Mobile detects when the number of associations 
witnin an enure doo, in any given minuie, cacccu uic iiumuci 
specified in configuration information 


Major 


- • 


BSS signal strength 

/\irj_yeiense ivioone ueiecis wnen me bigndi aiicngui in any 
access point falls below a specified threshold. 


Critical 




BSS fragments 

/\irjL/eiense ivioDiie ueiecis wnen ine iiumuer ui iidgmciucu 
frames within any minute exceed a specified threshold. 


A/Tinnr 




RSS derrvnt errors 

AirDefense Mobile detects when the number of decrypt error 
frames within any minute exceed a specified threshold. 


Major 




BSS assoc stations 

AirDefense Mobile detects when the total number of 


Minor 
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Alarm Type 


Alarm Subtype 


Alarm 
Level 




associated Stations within an entire BSS, in any given minute, 

c±v s> c*ar\ q cnPPITIPn nil rn V* fT" 
CAL-CCU a bpCL/lliCU. IlUJllUCl . 






BSS tbw in 

AirDefense Mobile detects when, during any minute, the 
number of bytes of data entering the BSS from the wired 
ponion 01 your nciworjv cxtccu <t 5>ci iiixcmkjki. 


Minor 




BSS tbw out 

AirDefense Mobile detects when, during any minute, the total 
number of bytes of data going from the BSS to a wired portion 
01 your nciwuriv CAtccu <x oci iillcmiuiu. 


Minor 




BSS tbw intra 

AirDefense Mobile detects when, during any minute, the total 
number of bytes of data originating from and destined for the 
BSS exceed a specified threshold. 


Minor 




Doj tow tnru 

AirDefense Mobile detects when, during any minute, the total 
number of bytes of data originating from a wired portion of 
the network hop through the BSS to another wired portion of 
me neiworK exceeci d set inrebnoiu. 


Minor 


• - - - - • 


BSS data 

AirDefense Mobile detects when, during any minute, the total 
number of data frames in the BSS exceed a specified 
mresnoia. 


Major 




PQQ mot 

AirDefense Mobile detects when, during any minute, the total 
number of management frames in the BSS exceed a specified 
threshold. 


Major 




BSS ctl 


Major 
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Alarm Type 


Alarm Subtype 


Alarm 
Level 




AirDefense Mobile detects when, during any minute, the total 
number of control frames in the BSS exceed a set threshold. 






BSS ad hoc 

AirDefense Mobile detects when, during any minute, the total 
number of Ad Hoc frames in the BSS exceed a specified 
threshold. 

Note: Wireless network adaptor cards of lesser quality will 
randomly generate aq hoc irames. /\irueiense ivioDiie s 
default threshold (1) may cause all of these spurious frames to 
generate an alarm. After monitoring the network for a week or 
two, it may be advisable to set the threshold to a number at or 
a nine mgner man wnai tne nciwoiK normally generates. 


Critical 




STA assoc count 

AirDefense Mobile detects, during any minute, when any 
otation associai.es wiin an access point more times man 
provided by a specified threshold. 


Major 




STA signal strength 

AirDefense Mobile detects, during any minute, when any 
station s signal strengtn ians oeiow a vaiue specmeu. 


Critical 


- - - - - • 


STA fragments 

AirDefense Mobile detects, during any minute, when any 
station generates more iragmentcu iranies man a bpcciiicu. . . 
value. 


Minor 




^TA Hi^frvnt prrnrc 
O 1 r\ VJCC1 jr \J l CI I Ui o 

AirDefense Mobile detects, during any minute, when any 
station generates more decrypt errors than a set threshold. 


Major 




STA tbw received 

AirDefense Mobile detects, within any minute, when any 


Minor 
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Alarm Type 


Alarm Subtype 


Alarm 
Level 




station receives more bytes of data than a predetermined 
threshold. 






STA tbw transmitted 

AirDefense Mobile detects, within any minute, when any 
station transmits more bytes of data than specified in a set 
threshold. 


Minor 




STA data received 

AirDefense Mobile detects, within any minute, when any 
station receives more data frames than a specified threshold. 


Major 




STA data transmitted 

AirDefense Mobile detects, within any minute, when any 
station transmits more data frames than a specified threshold. 


Major 




STA mgt received 

AirDefense Mobile detects, within any minute, when any 
station receives more management frames than a specified 
threshold. 


Major 




STA mgt transmitted 

AirDefense Mobile detects, within any minute, when any 
station transmits more management frames than a set 
threshold. 


Major 




STA ctl receive 

AirDefense Mobile detects, within any minute, when any 
station receives more control frames than a specified 
inresnoiQ. 


Major 




STA ctl transmit 

AirDefense Mobile detects, within any minute, when any 
station transmits more control frames than a set threshold. 


Major 


ID Theft 


Out of sequence 


Critical 
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Alarm Type 


Alarm Subtype 


Alarm 

^rVlcil 111 

Level 




AirDefense Mobile detects when frames are transmitted out of 
sequence. This suggests that someone has spoofed a Station 
and is sending data at the same time as the legitimate Station. 






Vendor out of character 

AirDefense Mobile compares every Station's transmissions 
against an internal aaiauase 01 Known venuor irdnbmibMun 
profiles" or "signatures." If the actual network traffic does not 
match the vendor-profile associated with the Station's Wireless 
NIC, AirDefense Mobile assumes that the traffic originates 
from an unauthorized station using a spoofed NIC. 


Critical 




Anomalous signal strength 

AirDefense Mobile tracks the high, low, and mean signal 
strength of each station many times a minute throughout the 
day. Whenever it detects that the Station's signal strength 
deviates from the norm, it generates an alarm. 


Critical 


Access Point 
Mode 


WEP mode changed 

AirDefense Mobile detects when the WEP value in an access 
point's beacon differs from the value it is supposed to be. 
(AirDefense Mobile auto-detected the WEP property, or it was 
manually entered.) 


Critical 


- - 


Rate changed 

AirDefense Mobile detects when the supported transmission 
rate values in an access point's beacon differs from the value it 

Qiinnn<;pfl to bp ( AirDefense Mobile auto-detected the rate 
property, or it was manually entered.) 


Critical 




Channel changed 

AirDefense Mobile detects whenever an access point changes 
channels. (The channel is identified in configuration 


Critical 
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Alarm Type 


Alarm Subtype 


Alarm 
Level 




information.) 






Cf changed 

AirDetense Mobile detects wnen tne Koint uooraination vaiue 
in an AP f s beacon changes. A change in this field may indicate 
that the access point was reconfigured, though this is not 
necessarily a problem. (The Point Coordination field refers to 
tne access point s moae 01 collision avoidance.^ 






Essid changed 

Airueiense iviooiie oeiecis wnen me d.cce&o puini o Diud.ut/<ioi 
of its Extended BSS ID changes. The ESSID information is 
stored as configuration information. 




Unauthorized 
AP Admin 


Airueiense JViooue oeiecis wnen aummisirdiion kebbiuno <uc 
being conducted directly with the access point. 


Critical 


Odd Mgt. 
Frame 


Sta tx ap mgt fr 

AirDetense Mobile Detects wnen a otauon is iransrmuing <x 
management frame reserved for access point's use. 


Pritiral 




Ap tx illegal mgt fr 

AirDetense Mobile detects wnen an access point transmits an 
illegal management frame. 


Pritiral 




Out of spec frame 

Airjueiense iviooiie aetects wnen an access pumi iraiioiinio a 
frame that does not follow 802. 1 lb standards. 


Pritirfll 




Other bogus frame 

AirDpfpnQp A/fnhile detects when an access noint transmits anv 
frame it does not understand. 


Critical 


Ad Hoc Net 
Detected 


AirDefense Mobile detects when Stations are directly 
transmitting and receiving to and from each other without 
using an authorized access point. 


Critical 
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Alarm Type 


Alarm Subtype 


Alarm 

.1— /V* ▼ V* 




Note: Unlike all other alarms that are generated every time the 
network event is detected within a minute, AirDefense Mobile 
will only generate an Ad Hoc Network alarm once in the 
current 24 hour period for each MAC address. 




AP Beacon 
Rate 


AirDefense Mobile detects when an access point's beacon rate 
changed. 


Critical 



The present systems and methods allow an end-user to specify and implement 
the security and policy constraints associated with a particular wireless network 
deployment. Once configured with such information, the network activity is monitored 
on a continuous basis to determine if the activity is within the guidelines specified by 
5 the established constraints. 

If the activity is found to not be in compliance with the established constraints, 
a real-time alarm is generated and reported to the user through a number of 
mechanisms. These mechanisms can include Web, Email, SNMP and Syslog 
notification. In some embodiments, the response is not limited to notification. These 
10 embodiments can include automated enforcement and/or active defensive measures as 
discussed below. 
Automated Policy Enforcement 

Some embodiments support automated enforcement of constraints including, 
without limitation, thresholds and/or alarms. In such embodiments, attempts to rectify 
15 the policy deviation through re-configuration of the affected device or devices can 

occur automatically upon detection of the deviation. This reconfiguration attempts to 
implement the specified policy within the relevant devices. 

This process can be viewed as a form of a feedback control loop. In many 
cases, such a loop operates by comparing a reference input to a measured output, 
20 computing their difference, and using this difference to adjust the desired output. This 
continues to drive the desired output to compliance with the reference input. 

FIG. 10 depicts an exemplary process that includes automated policy 
enforcement. An initialization step occurs to retrieve expected norms and configure 
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data monitoring processes in step 1010. Normal monitoring of network activity occurs 
in steps 1020. The monitored activity is checked for compliance with established 
constraints in step 1030. If a violation was not detected, processing continues at step 
1020. 

5 If a constraint is violated, a notification (alert) can be generated and forwarded 

to a user and/or other systems (not shown). Such notifications can, in some 
embodiments, include information regarding the violation and/or one or more links that 
upon activation: (1) cause the display of information regarding the violation, (2) cause 
the activation of an interactive interface via which a user can attempt to manually 

10 rectify and/or manage the violation and/or (3) cause automatic attempts to wholly, or 
partially, rectify the violation. The notification can be sent via any suitable delivery 
platform as provided hereinabove with respect to alerts in general. 

If a violation was detected, normal monitoring for additional violations can 
continue as depicted by simultaneously returning to step 1020 as well as proceeding to 

15 step 1040; alternatively, normal monitoring could be suspended until handling of the 
detected violation is complete. 

The violation will typically have associated with it a set of one or more wireless 
network attributes. A procedure associated with the detected violation, and/or the 
attributes associated therewith, is triggered that attempts to manually, semi- 

20 automatically or automatically rectify the underlying cause of the violation. At step 

1040 a communication channel is established with one or more devices associated with 
the detected violation, and/or the attributes associated with the detected violation. 
Commands to rectify the detected violation can then be sent to impacted devices in step 
1050. The commands sent will depend at least in part upon the detected violation 

25 and/or the attributes associated therewith. At this point, the process may end in some 
embodiment. 

Some embodiment may further make a determination as to whether the 
reconfiguration attempt was successful in step 1060. In some such embodiments, the 
determination may include a determination of a success level indicating partial 
30 handling of the violation. Based upon the outcome of the determination, some 

embodiments may make further attempts to correct, or complete the correction of, the 
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violation through additional attempts to reconfigure the same or different devices as in 
the previous correction attempts. Step 1070 represents a decision as to whether further 
attempts should be made. This decision may rest on a number of factors including, . 
without limitation, number of correction attempts, degree of success of prior attempts, 
5 appearance of additional issues resulting from prior attempts, etc. 

If the attempt to enforce the policy is successful or unsuccessful, status 
information concerning the network can be updated in step 1080. For instance, if the 
procedure successfully, or partially successfully, rectifies the cause of the violation, any 
triggered alert or alerts can be cancelled, updated or otherwise modified to indicate the 

1 0 present status of the violation. 

These steps can be executed upon a system processor or can be stored as 
executable instructions upon or across one or more computer readable media. Data 
used by the steps can be stored within the SDS described above. The communication 
channel established with the one or more devices can be made through one or more . 

15 communication interfaces; such communication interfaces can be network interfaces, 
serial or parallel interfaces (e.g., USB, etc.), modem, or other suitable communication 
interface allowing communication between the system processor and the device. 

Automatic resolution of the policy violation can employ a management and 
control interface on the monitored equipment to effect the desired change. This 

20 interface may be in the form of an HTTP, HTTPS, SNMP or vendor-specific command 
line interface reachable via Telnet, SSH or another remote login interface; in addition, 
or instead, alternative interfaces could be provided via automated voice and/or tone 
recognition systems for handling telephone based configuration of the environment. 
Multiple such interfaces could be simultaneously available. An example Web-based 

25 interface is depicted in FIGs. 13A1, 13 Ala, 13A2, 13B1 and 13B2. 
Active Defense 

In some embodiments of the present invention, one or more active defense 
mechanisms may be triggered in response to alarm conditions, in addition to, or instead 
of, the notification process described above: The system may provide active defense 
30 from attacks by broadcasting data into the wireless network as well as being able to trap 
and/or map an intruder's workstation by triangulating the position of the intruder's 
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workstation relative to the wireless network access points. It also may attempt alter the 
access point configuration in a manner that makes it difficult or impossible for the 
targeted attacker to continue communications. 

By introducing CRC errors into the wireless stream, the system can actively 
5 defeat an attacker that is monitoring the stream, for patterns to crack the encryption. 
CRC errors are introduced by transmitting at the same time as the detected intruder. 
Due the shared medium nature of the wireless computer network, the cause the packet 
transmission to be corrupted, preventing the intruder from successfully communicating 
with the network. 

10 By introducing chaf, the system can actively defeat the attacker by placing 

random frames into the stream so that the encryption pattern becomes undetectable. 
Chaf is a form of randomized packet transmission that is designed to reduce the 
probability that a statistical analysis of the packet sequence would result in breaking of 
the encryption key. This is done by emitting a low-rate background transmission of 

15 packets that are emitted using the same characteristics (e.g., address, initialization 
vector, etc.) of legitimately observed traffic but with a randomized payload. 

The system can lock-down a wireless network by jamming, a technique to 
prevent any unauthorized access to the wireless access point by introducing enough 
noise into the wireless network that workstations cannot physically connect to the 

20 wireless network. Jamming is a physical layer transmission that is performed to disrupt 
all unwanted wireless communications. It is equivalent to introducing a noise signal on 
top of the unwanted signal transmission such that any receiver would not be able to 
successfully receive the transmission. 

The system can also lock-down a wireless network through logical jamming or 

25 disruption. In this case, unauthorized access is prevented through disruption at the 

communications protocol layer. This is done via use of standard network management, 
control and data messages. 

In a Physical Device approach, one embodiment would utilize a standalone 
sensor to implement any of the Active Defense mechanisms. Dynamic channel change 

30 can be used to reroute authorized traffic to a different communication channel to avoid 
an intruder detected on a particular channel. In this approach, a channel change request 
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is transmitted to the access point believed to be compromised and authorized stations 
use the new channel to communicate with the access point. This approach can also be 
used to avoid interference causing problems in communication between an access point 
and its authorized stations. 
5 Some embodiments including dynamic channel change may further use a 

honeypot trap that tricks the attacker into thinking the original channel is still valid and 
provides the necessary forensic information to identify the attacker. FIG. 5 depicts a 
flow chart of a process starting at step 510 used in some such embodiment 
incorporating the honeypot trap. 

10 In step 520, configuration information is received. This step is much the same 

as previously described steps 305 and 410 in FIGs. 3 and 4 respectively. Step 530 
represents a waiting loop that waits until an attack has been detected. Typically, an 
intrusion detection system generates a signal that triggers departure from this loop; in 
some preferred embodiments, the intrusion detection system contains the hardware 

15 and/or executes the process described above. The signal from the intrusion detection 
system typically includes an indicator of the access point believed to be under attack. 

In the case that an attack has been detected in 530, processing is passed to step 
540 to activate the honeypot trap. A trap thread is started in step 580; the thread 
initializes itself with the identity of the monitored access point believed to be attacked. 

20 This identity typically includes the MAC address, Service Set Identifier, encryption 
mode, network mode and transmission modes. Once initialized, the thread moves to 
step 590, the Trap Intruder process. This process is designed to logically fool the 
identifier attacker into believing communication is still occurring with the original 
access point. This is accomplished through complete emulation of the original access 

25 point's identity and behavior. By maintaining communication with the attacker, a trap 
is created such that the attacker's physical proximity is assured as long as 
communication continues. Optionally, a new identity may be assumed such that a 
weaker or more vulnerable appearing access point can be presented to the attacker. 
This is done by again emulating access point functionality, but in this case with an 

30 identity and set of characteristics that appear vulnerable. This vulnerability appearance 
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may be created through the use of no or weak encryption modes or the appearance of 
default manufacturing modes with known passwords and user IDs. 

In step 550 a control packet is sent to the original access point to change 
channels or suspend transmission while the trap is engaged- This packet encapsulates a 
5 message indicating the above request and may be sent in or out-of-band to the access 
point. In-band refers to over-the-air transmission to the access point's wireless network 
interface whereas out-of-band transmission refers to transmission to the wired side 
interface of the access point. 

Processing in the main loop then returns to attack detection in 530. 

10 Triangulation determines the location of an attacker by mapping her relative 

position within the deployed wireless access points. The mapping and location 
detection process according to one or more preferred embodiments of the present 
invention as depicted in FIGs. 6A-B are discussed in greater detail below. 

The process of FIG. 6A is used to create an internal database of IP addresses 

15 and/or names mapped to corresponding MAC addresses. Every Address Resolution 
Protocol (ARP) transaction is detected in step 605. In step 610, the information in the 
detected transaction is used to update the internal database. Some embodiments can 
perform the identification and location processing such as depicted in FIG. 6B without 
reference to such an internal database. This database is created and maintained in one 

20 preferred embodiment to make the station identification and location process easier and 
more efficient. 

FIG. 6B depicts a process for identifying and locating a station within the 
wireless network. In some embodiments, this process can be used to pinpoint the 
location of a potential attacker; in some such embodiments, activation of the process is 
25 triggered by an intrusion detection system. In a preferred embodiment, the process is 
triggered by one of the intrusion detections systems and methods described in detail 
above. 

In step 620, a lookup occurs in the internal database, such as created via the 
process depicted in FIG. 6 A, on the current MAC address to determine if an IP or name 
30 mapping is already available. If found, the internal database is updated in step 640 and 
execution proceeds to step 645 to query the wireless sensor array— to begin position or 
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location resolution. As indicated above, the internal database is one approach to 
acquiring the desired information. Some embodiments may skip this step and use 
either the wired network sensor or the reverse address resolution protocol (RARP) 
approach discussed below. 
5 Otherwise, an optional wired network sensor can be queried for the name 

mapping in step 625. This sensor is preferably deployed within the wired network at a 
location convenient to sniffing DHCP, LDAP, DNS or other service/name mapping 
protocols. If found, the internal database is updated in step 640 and execution proceeds 
to step 645 to query the wireless sensor array— to begin position or location resolution. 
10 Some embodiments may not include such a wired network sensor; in which case this 
step is skipped. 

If name is still not found, execution proceeds to step 630 where a RARP request 
is issued. This request asks the receiver population for the IP address of the MAC 
address in question. If found, the internal database is updated in step 640 and execution 
15 proceeds to step 645 to query the wireless sensor array— to begin position or location 
resolution. 

If not found, name/IP mapping is not available at current time for this MAC 
address. In some embodiments, name/IP mapping may not be desired but location or 
position information is in which case the process can begin in such embodiments at step 
20 645. 

Step 645 begins the position or location resolution with a query to the wireless 
sensor array. Each sensor is queried for tracking information on the current MAC 
address in question. This tracking information identifies whether the MAC is currently 
observable by a given sensor, the sensor ID, and the signal strength associated with the 

25 MAC in question. The sensor array may include not only sensor devices (e.g., 230A, 
230B) but also other wireless nodes accessible from this process such as devices 210A- 
D and/or host system 220. 

From the data received via the query, the position relative to grid of sensors is 
calculated in step 650 by computing the "signal strength" distance to each sensor. This 

30 distance is computed as the square root of the sum of squares of three sensor signal 

strength values. The position is then estimated to be within the proximity of the sensors 
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determined to have the smallest signal strength distance to the MAC address in 
question per the above computation. Once the set of sensors is selected, the position is 
further refined by selected the position as within the proximity of the sensor within 
above set with the strongest signal strength. In some embodiments, the process ends at 
5 this point with the position information being returned. 

In embodiments maintaining a position database, this database is updated in step 
660 with the position of the MAC address in question. The process then ends at step 
670. 

Encrypted Network Analysis and Management 

10 The techniques utilized to monitor WLANs can apply in general to monitoring 

and analyzing any network link using encryption of the payload or at the IP layer and 
above rather than just WLANs. In this case, Layer 1 and Layer 2 are observed and 
decisions made at these layers in terms of signature, protocol, policy and statistical 
anomaly analysis to assess network health and security. This technique is thus 

1 5 applicable to any network (wired or wireless) exhibiting the above encryption 
characteristics of the network traffic. In other words, the multi-dimensional IDS 
implemented per our framework is more broadly applicable to managing and securing 
any encrypted network. In this case, a WLAN running WEP is one particular instance 
of an encrypted network. 

20 Throughout this application, various publications may have been referenced. 

The disclosures of these publications in their entireties are hereby incorporated by 
reference into this application in order to more fully describe the state of the art to 
which this invention pertains. 

The embodiments described above are given as illustrative examples only. It 

25 will be readily appreciated by those skilled in the art that many deviations may be made 
from the specific embodiments disclosed in this specification without departing from 
the invention. 
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